Configuring System Administrator Settings
This chapter describes how to configure features to assist you in system administration. It includes these sections:
Configuring alarm settings
Setting announcements
Configuring email settings
Configuring log settings
Configuring the date and time
Configuring monitored ports
Configuring SNMP settings
Enabling communication with host hypervisor
Configuring alarm settings
You can set alarms in the Administration > System Settings: Alarms page.
Enabling alarms is optional.
RiOS uses hierarchical alarms that group certain alarms into top-level categories, such as the SSL Settings alarm. When an alarm triggers, its parent expands to provide more information. As an example, the System Disk Full top-level parent alarm aggregates over multiple partitions. If a specific partition is full, the System Disk Full parent alarm triggers and the Alarm Status report displays more information regarding which partition caused the alarm to trigger.
Disabling a parent alarm disables its children. You can enable a parent alarm and disable any of its child alarms. You cannot enable a child alarm without first enabling its parent.
The children alarms of a disabled parent appear on the Alarm Status report with a suppressed status. Disabled children alarms of an enabled parent appear on the Alarm Status report with a disabled status.
To set alarm parameters
1. Choose Administration > System Settings: Alarms to display the Alarms page.
Alarms page
2. Under Enable Alarms, complete the configuration as described in this table.
Control
Description
Admission Control
Enables an alarm and sends an email notification if the appliance enters admission control. When this occurs, the appliance optimizes traffic beyond its rated capability and is unable to handle the amount of traffic passing through the WAN link. During this event, the appliance continues to optimize existing connections, but new connections are passed through without optimization.
Connection Limit - Indicates the system connection limit has been reached. Additional connections are passed through unoptimized. The alarm clears when the appliance moves out of this condition.
CPU - The appliance has entered admission control due to high CPU use. During this event, the appliance continues to optimize existing connections, but new connections are passed through without optimization. The alarm clears automatically when the CPU usage has decreased.
MAPI - The total number of MAPI optimized connections have exceeded the maximum admission control threshold. By default, the maximum admission control threshold is 85 percent of the total maximum optimized connection count for the client-side appliance. The appliance reserves the remaining 15 percent so that the MAPI admission control does not affect the other protocols. The 85 percent threshold is applied only to MAPI connections. RiOS is now passing through MAPI connections from new clients but continues to intercept and optimize MAPI connections from existing clients (including new MAPI connections from these clients). RiOS continues optimizing non-MAPI connections from all clients. The alarm clears automatically when the MAPI traffic has decreased; however, it can take one minute for the alarm to clear.
RiOS preemptively closes MAPI sessions to reduce the connection count in an attempt to bring the appliance out of admission control by bringing the connection count below the 85 percent threshold. RiOS closes the MAPI sessions in this order:
MAPI prepopulation connections
MAPI sessions with the largest number of connections
MAPI sessions with most idle connections
Most recently optimized MAPI sessions or oldest MAPI session
MAPI sessions exceeding the memory threshold
Memory - The appliance has entered admission control due to memory consumption. The appliance is optimizing traffic beyond its rated capability and is unable to handle the amount of traffic passing through the WAN link. During this event, the appliance continues to optimize existing connections, but new connections are passed through without optimization. No other action is necessary; the alarm clears automatically when the traffic has decreased.
TCP - The appliance has entered admission control due to high TCP memory use. During this event, the appliance continues to optimize existing connections, but new connections are passed through without optimization. The alarm clears automatically when the TCP memory pressure has decreased.
By default, this alarm is enabled.
Application Consistent Snapshot
Enables an alarm and sends an email notification when an application-consistent snapshot failed to be committed to the Core, or a snapshot failed to complete.
Application consistent snapshots are scheduled using the Core snapshot scheduler. A snapshot is application consistent if, in addition to being write-order consistent, it includes data from running applications that complete their operations and flush their buffers to disk.
This error triggers when there are problems interacting with servers (ESXi or Windows). The first interaction with servers is to prepare for a snapshot (where the server gets filesystems or a VM in a consistent state), and the second is to resume after the snapshot is taken (the server can clean up, stop logging changes, and so on).
Errors can also occur due to misconfigurations on either side, local issues on the servers (high load, timeouts, reboots), networking problems, and so on.
By default, this alarm is enabled.
Asymmetric Routing
Enables an alarm if asymmetric routing is detected on the network. Asymmetric routing is usually due to a failover event of an inner router or VPN.
By default, this alarm is enabled.
Blockstore
Enables an alarm and sends an email notification if the system encounters any of these issues with the Edge blockstore:
The blockstore is running out of space.
The blockstore is out of space.
The blockstore is running out of memory.
The blockstore could not read data that was already replicated to the Core.
The blockstore could not read data that is not yet replicated to the Core.
The blockstore fails to start due to disk errors or an incorrect configuration.
The Edge software version is incompatible with the blockstore version on disk.
The standby Edge software version in a high-availability appliance pair is incompatible with the active Edge software version.
On appliances with read cache solid state disks (SSDs), the read cache fails to start.
The blockstore could not save data to disk due to a media error.
By default, this alarm is enabled.
Connection Forwarding
Enables an alarm if the system detects a problem with a connection-forwarding neighbor. The connection-forwarding alarms are inclusive of all connection-forwarding neighbors. For example, if an appliance has three neighbors, the alarm triggers if any one of the neighbors are in error. In the same way, the alarm clears only when all three neighbors are no longer in error.
Cluster Neighbor Incompatible - Enables an alarm and sends an email notification if a connection-forwarding neighbor is running a RiOS version that is incompatible with IPv6, or if the IP address configuration between neighbors does not match. Neighbors must be running RiOS 8.5 or later.
Multiple Interface - Enables an alarm and sends an email notification if the connection to a SteelHead in a connection forwarding cluster is lost.
Single Interface - Enables an alarm and sends an email notification if the connection to a SteelHead connection-forwarding neighbor is lost.
By default, this alarm is enabled.
CPU Utilization
Enables an alarm and sends an email notification if the average and peak threshold for the CPU utilization is exceeded. When an alarm reaches the rising threshold, it is activated; when it reaches the lowest or reset threshold, it is reset. After an alarm is triggered, it is not triggered again until it has fallen below the reset threshold.
By default, this alarm is enabled.
Rising Threshold - Specify the rising threshold. When an alarm reaches the rising threshold, it is activated. The default value is 90 percent.
Reset Threshold - Specify the reset threshold. When an alarm reaches the lowest or reset threshold, it is reset. After an alarm is triggered, it is not triggered again until it has fallen below the reset threshold. The default value is 70 percent.
Data Store
Corruption - Enables an alarm and sends an email notification if the RiOS data store is corrupt or has become incompatible with the current configuration. To clear the RiOS data store of data, restart the optimization service and click Clear the Data Store.
If the alarm was caused by an unintended change to the configuration, the configuration can be changed to match the old data store settings again and then a service restart (without clearing) will clear the alarm. Typical configuration changes that require a restart clear are changes to the data store encryption (choose Optimization > Data Replication: Data Store) or enabling extended peer table (choose Optimization > Network Services: Peering Rules).
Data Store Clean Required - Enables an alarm and sends an email notification if you need to clear the RiOS data store.
Encryption Level Mismatch - Enables an alarm and sends an email notification if a data store error such as an encryption, header, or format error occurs.
Synchronization Error - Enables an alarm if RiOS data store synchronization has failed. The RiOS data store synchronization between two appliances has been disrupted and the RiOS data stores are no longer synchronized.
By default, this alarm is enabled.
Disk Full
Enables an alarm if the system partitions (not the RiOS data store) are full or almost full. For example, RiOS monitors the available space on /var, which is used to hold logs, statistics, system dumps, TCP dumps, and so on.
By default, this alarm is enabled.
Domain Authentication Alert
Enables an alarm when the system is either unable to communicate with the domain controller, or has detected an SMB signing error, or that delegation has failed. CIFS-signed and Encrypted-MAPI traffic is passed through without optimization.
By default, this alarm is enabled.
Domain Join Error
Enables an alarm if an attempt to join a Windows domain has failed. The number one cause of failing to join a domain is a significant difference in the system time on the Windows domain controller and the appliance. A domain join can also fail when the DNS server returns an invalid IP address for the domain controller.
By default, this alarm is enabled.
Edge HA Service
Enables an alarm and sends an email notification if only one of the appliances in a high availability (HA) SteelFusion Edge pair is actively serving storage data (the active peer).
The two appliances maintain a heartbeat protocol between them, so that if the active peer goes down, the standby peer can take over servicing the LUNs. If the standby peer goes down, the active peer continues servicing the LUNs after raising this alarm and sending an email that the appliance is degraded. The email contains the IP address of the peer appliance.
When the appliance is degraded, after a failed peer resumes, it resynchronizes with the other peer in the HA pair to receive any data that was written since the time of the failure. After the peer receives all the written data, the HA resumes and any future writes are reflected to both peers.
By default, this alarm is enabled.
Hardware
These alarms report issues with the SteelFusion Edge RiOS node hardware.
Disk Error - Enables an alarm when one or more disks is offline. To see which disk is offline, enter the show raid diagram command from the system prompt.
By default, this alarm is enabled.
This alarm applies only to the SteelHead RAID Series 3000, 5000, and 6000.
Fan Error - Enables an alarm and sends an email notification if a fan is failing or has failed and needs to be replaced. By default, this alarm is enabled.
Flash Error - Enables an alarm when the system detects an error with the flash drive hardware. By default, this alarm is enabled.
IPMI - Indicates an Intelligent Platform Management Interface (IPMI) event.
This alarm triggers when there has been a physical security intrusion. These events trigger this alarm:
Chassis intrusion (physical opening and closing of the appliance case)
Memory errors (correctable or uncorrectable ECC memory errors)
Hard drive faults or predictive failures
Power supply status or predictive failure
By default, this alarm is enabled.
Management Disk Size Error - Enables an alarm if the size of the management disk is too small to support the virtual appliance model.
Memory Error - Enables an alarm and sends an email notification if a memory error is detected: for example, when a system memory stick fails.
Other Hardware Error - Enables an alarm if a hardware error is detected. These issues trigger the hardware error alarm:
The appliance does not have enough disk, memory, CPU cores, or NICs to support the current configuration.
The appliance is using a memory Dual In-line Memory Module (DIMM), a hard disk, or a NIC that is not qualified by Riverbed.
DIMMs are plugged into the appliance but RiOS cannot recognize them because:
a DIMM is in the wrong slot. You must plug DIMMs into the black slots first and then use the blue slots when all of the black slots are in use.
or
a DIMM is broken and you must replace it.
 
Safety Valve: disk access exceeds response times - Enables an alarm when the appliance is experiencing increased disk access time and has started the safety valve disk bypass mechanism that switches connections into SDR-A. SDR-A performs data reduction in memory until the disk access latency falls below the safety valve activation threshold.
Disk access time can exceed the safety valve activation threshold for several reasons: the appliance might be undersized for the amount of traffic it is required to optimize, a larger than usual amount of traffic is being optimized temporarily, or a disk is experiencing hardware issues such as sector errors, failing mechanicals, or RAID disk rebuilding.
You configure the safety valve activation threshold and timeout using CLI commands:
datastore safety-valve threshold
datastore safety-value timeout
 
For details, see the Riverbed Command-Line Interface Reference Manual.
Other hardware issues
By default, this alarm is enabled.
Power Supply - Enables an alarm and sends an email notification if an inserted power supply cord does not have power, as opposed to a power supply slot with no power supply cord inserted. By default, this alarm is enabled.
RAID - Indicates an error with the RAID array (for example, missing drives, pulled drives, drive failures, and drive rebuilds). An audible alarm might also sound. To see if a disk has failed, enter the show raid diagram CLI command from the system prompt.
For drive rebuilds, if a drive is removed and then reinserted, the alarm continues to be triggered until the rebuild is complete. Rebuilding a disk drive can take 4 to 6 hours. This alarm applies only to the RAID Series 3000, 5000, and 6000.
SSD Write Cycle Level Exceeded - Enables an alarm if the accumulated SSD write cycles exceed a predefined write cycle 95 percent level on SteelHead models 7050L and 7050M. If the alarm is triggered, the administrator can swap out the disk before any problems arise.
By default, this alarm is enabled.
Host Hypervisor
Note: This alarm is available only in Virtual Edge on Hyper-V deployments.
Enables an alarm and sends an email notification if the Virtual Edge encounters one of these problems with the host hypervisor:
CPU - Enables an alarm if the CPU capacity and cores reserved for the Virtual Edge VM hosted on Hyper-V are not sufficient to support Virtual Edge operations.
Host Connection - Enables an alarm if the connectivity to the host Hyper-V is lost or not established from the Virtual Edge VM. The reason for connection failure is specified in the alarm description.
Host Hypervisor Version - Enables an alarm if the host hypervisor is running an OS version that is not supported by Virtual Edge.
Memory - Enables an alarm if the memory reserved for the Virtual Edge VM hosted on Hyper-V is not sufficient to support Virtual Edge operations. The alarm is also raised if the memory allocation is dynamic.
By default, this alarm is enabled.
Hypervisor Hardware
Enables an alarm when a problem occurs with the SteelFusion Edge Hypervisor node hardware. The hypervisor hardware affects virtualization on the appliance. These issues trigger the hypervisor hardware alarm:
Hardware Management Connection - Enables an alarm and sends an email notification when RiOS loses IP connectivity or cannot authenticate the connection to the hypervisor motherboard controller.
Hardware Management Controller Unauthenticated User - Enables an alarm and sends an email notification when RiOS does not recognize the password used to access the hardware management controller.
Memory - Enables an alarm and sends an email notification if a memory error is detected: for example, when a system memory stick fails.
Other Hardware - Enables an alarm if a hardware error is detected. These issues trigger the hardware error alarm:
The hypervisor hardware is using a memory Dual In-line Memory Module (DIMM), a hard disk, or a NIC that is not qualified.
The hypervisor hardware has detected a RiOS NIC. The hypervisor does not support RiOS NICs.
DIMMs are plugged into the hypervisor hardware but the hypervisor cannot recognize them because:
a DIMM is in the wrong slot. You must plug DIMMs into the black slots first and then use the blue slots when all of the black slots are in use.
or
a DIMM is broken and you must replace it.
Power - Enables an alarm and sends an email notification if the hypervisor loses power unexpectedly.
Temperature - Enables an alarm and sends an email notification if a hypervisor CPU, board, or platform controller hub (PCH) temperature exceeds the rising threshold. When the CPU, board, or PCH returns to the reset threshold, the critical alarm clears (after polling for 30 seconds). If the appliance has more than one CPU, the alarm displays both CPUs. The default values are maintained by the motherboard.
Inbound QoS WAN Bandwidth Configuration
Enables an alarm and sends an email notification if the inbound QoS WAN bandwidth for one or more of the interfaces is set incorrectly. You must configure the WAN bandwidth to be less than or equal to the interface bandwidth link rate.
This alarm triggers when the system encounters one of these conditions:
An interface is connected and the WAN bandwidth is set higher than its bandwidth link rate: for example, if the bandwidth link rate is 1536 kbps, and the WAN bandwidth is set to 2000 kbps.
A nonzero WAN bandwidth is set and QoS is enabled on an interface that is disconnected; that is, the bandwidth link rate is 0.
A previously disconnected interface is reconnected, and its previously configured WAN bandwidth was set higher than the bandwidth link rate. The Management Console refreshes the alarm message to inform you that the configured WAN bandwidth is set higher than the interface bandwidth link rate.
While this alarm appears, the appliance puts existing connections into the default class.
The alarm clears when you configure the WAN bandwidth to be less than or equal to the bandwidth link rate or reconnect an interface configured with the correct WAN bandwidth.
By default, this alarm is enabled.
Licensing
Enables an alarm and sends an email notification if a license is removed, is about to expire, has expired, or is invalid. This alarm triggers if the appliance has no MSPEC license installed for its currently configured model.
Appliance Unlicensed - This alarm triggers if the appliance has no BASE or MSPEC license installed for its currently configured model. For details about updating licenses, see Managing licenses and model upgrades.
Autolicense Critical Event - This alarm triggers on a SteelHead (virtual edition) appliance when the Riverbed Licensing Portal cannot respond to a license request with valid licenses. The Licensing Portal cannot issue a valid license for one of these reasons:
A newer SteelHead (virtual edition) appliance is already using the token, so you cannot use it on the SteelHead (virtual edition) appliance displaying the critical alarm. Every time the SteelHead (virtual edition) appliance attempts to refetch a license token, the alarm retriggers.
The token has been redeemed too many times. Every time the SteelHead (virtual edition) appliance attempts to refetch a license token, the alarm retriggers.
Autolicense Informational Event - This alarm triggers if the Riverbed Licensing Portal has information regarding the licenses for a SteelHead (virtual edition) appliance. For example, the SteelHead (virtual edition) appliance displays this alarm when the portal returns licenses that are associated with a token that has been used on a different SteelHead (virtual edition) appliance.
Licenses Expired - This alarm triggers if one or more features has at least one license installed, but all of them are expired.
Licenses Expiring - This alarm triggers if the license for one or more features is going to expire within two weeks.
Note: The licenses expiring and licenses expired alarms are triggered per feature. For example: if you install two license keys for a feature, LK1-FOO-xxx (expired) and LK1-FOO-yyy (not expired), the alarms do not trigger, because the feature has one valid license.
By default, this alarm is enabled.
Link Duplex
Enables an alarm and sends an email notification when an interface was not configured for half-duplex negotiation but has negotiated half-duplex mode. Half-duplex significantly limits the optimization service results.
The alarm displays which interface is triggering the duplex alarm.
By default, this alarm is enabled.
You can enable or disable the alarm for a specific interface. To enable or disable an alarm, choose Administration > System Settings: Alarms and select or clear the check box next to the link name.
Link I/O Errors
Enables an alarm and sends an email notification when the link error rate exceeds 0.1 percent while either sending or receiving packets. This threshold is based on the observation that even a small link error rate reduces TCP throughput significantly. A properly configured LAN connection experiences very few errors.
The alarm clears when the rate drops below 0.05 percent.
You can change the default alarm thresholds by entering the alarm link_io_errors err-threshold <threshold-value> command at the system prompt. For details, see the Riverbed Command-Line Interface Reference Manual.
By default, this alarm is enabled.
You can enable or disable the alarm for a specific interface. For example, you can disable the alarm for a link after deciding to tolerate the errors. To enable or disable an alarm, choose Administration > System Settings: Alarms and select or clear the check box next to the link name.
Link State
Enables an alarm and sends an email notification if an Ethernet link is lost due to an unplugged cable or dead switch port. Depending on which link is down, the system might no longer be optimizing and a network outage could occur.
This condition is often caused by surrounding devices, like routers or switches, interface transitioning. This alarm also accompanies service or system restarts on the appliance.
For WAN/LAN interfaces, the alarm triggers if in-path support is enabled for that WAN/LAN pair.
By default, this alarm is disabled.
You can enable or disable the alarm for a specific interface. To enable or disable an alarm, choose Administration > System Settings: Alarms and select or clear the check box next to the link name.
Memory Paging
Enables an alarm and sends an email notification if memory paging is detected. If 100 pages are swapped every couple of hours, the system is functioning properly. If thousands of pages are swapped every few minutes, contact Riverbed Support at
https://support.riverbed.com.
By default, this alarm is enabled.
Neighbor Incompatibility
Enables an alarm if the system has encountered an error in reaching an appliance configured for connection forwarding.
By default, this alarm is enabled.
Network Bypass
Enables an alarm and sends an email notification if the system is in bypass failover mode.
By default, this alarm is enabled.
NFS V2/V4 alarm
Enables an alarm and sends an email notification if the appliance detects that either NFSv2 or NFSv4 is in use. The appliance only supports NFSv3 and passes through all other versions.
By default, this alarm is enabled.
Optimization Service
Internal Error - Enables an alarm and sends an email notification if the RiOS optimization service encounters a condition that might degrade optimization performance. By default, this alarm is enabled. Go to the Administration > Maintenance: Services page and restart the optimization service.
Service Status - Enables an alarm and sends an email notification if the RiOS optimization service encounters a service condition. By default, this alarm is enabled. The message indicates the reason for the condition. These conditions trigger this alarm:
Configuration errors.
An appliance reboot.
A system crash.
An optimization service restart.
A user enters the no service enable command or shuts down the optimization service from the Management Console.
A user restarts the optimization service from either the Management Console or CLI.
Unexpected Halt - Enables an alarm and sends an email notification if the RiOS optimization service halts due to a serious software error. By default, this alarm is enabled.
Outbound QoS WAN Bandwidth Configuration
Enables an alarm and sends an email notification if the outbound QoS WAN bandwidth for one or more of the interfaces is set incorrectly. You must configure the WAN bandwidth to be less than or equal to the interface bandwidth link rate.
This alarm triggers when the system encounters one of these conditions:
An interface is connected and the WAN bandwidth is set to higher than its bandwidth link rate: for example, if the bandwidth link rate is 100 Mbps, and the WAN bandwidth is set to 200 Mbps.
A nonzero WAN bandwidth is set and QoS is enabled on an interface that is disconnected; that is, the bandwidth link rate is 0.
A previously disconnected interface is reconnected, and its previously configured WAN bandwidth was set higher than the bandwidth link rate. The Management Console refreshes the alarm message to inform you that the configured WAN bandwidth is set greater than the interface bandwidth link rate.
While this alarm appears, the system puts existing connections into the default class.
The alarm clears when you configure the WAN bandwidth to be less than or equal to the bandwidth link rate or reconnect an interface configured with the correct WAN bandwidth.
By default, this alarm is enabled.
Path Selection Path Down
Enables an alarm and sends an email notification if the system detects that one of the predefined uplinks for a connection is unavailable. The uplink has exceeded either the timeout value for uplink latency or the threshold for observed packet loss.
When an uplink fails, the system directs traffic through another available uplink. When the original uplink comes back up, the system redirects the traffic back to it.
By default, this alarm is enabled.
Path Selection Path Probing Error
Enables an alarm and sends an email notification if a path selection monitoring probe for a predefined uplink has received a probe response from an unexpected relay or interface.
By default, this alarm is enabled.
Process Dump Creation Error
Enables an alarm and sends an email notification if the system detects an error while trying to create a process dump. This alarm indicates an abnormal condition where RiOS cannot collect the core file after three retries. It can be caused when the /var directory is reaching capacity or other conditions. When the alarm is raised, the directory is blacklisted.
By default, this alarm is enabled.
Proxy File Service
Enables an alarm and sends an email notification when the system detects a PFS operation or configuration error:
Proxy File Service Configuration - Indicates that a configuration attempt has failed. If the system detects a configuration failure, attempt the configuration again.
Proxy File Service Operation - Indicates that a synchronization operation has failed. If the system detects an operation failure, attempt the operation again.
By default, this alarm is enabled.
Riverbed Host Tools Version
Enables an alarm and sends an email notification when the Riverbed Hardware Snapshot Provider (RHSP) is incompatible with the Windows server version. RHSP provides snapshot capabilities by exposing the Edge through iSCSI to the Windows Server as a snapshot provider. RHSP is compatible with 64-bit editions of Microsoft Windows Server 2008 R2 or later and can be downloaded from the Riverbed Support site at https://support.riverbed.com.
Note: We strongly recommend that you upgrade to the latest version of the RHSP tool (available through the Unified Installer for Riverbed Plugins) before upgrading the SteelFusion Edge software. For details, see the SteelFusion Design Guide.
In Virtual Edge on Hyper-V deployments, this alarm is raised if an incompatible RHSP version is installed. We recommend you install the latest RHSP version. The alarm is also raised if RHSP is installed on an incompatible Windows server. Windows Server 2016 is required for Virtual Edge on Hyper-V deployments.
By default, this alarm is enabled.
Secure Transport
Enables an alarm and sends an email notification if a peer appliance encounters a problem with the controller connection. The controller is a SteelHead that typically resides in the data center and manages the control channel and operations required for secure transport between peers. The control channel uses SSL to secure the connection between the peer appliance and the SteelHead controller.
Connection with Controller Lost - Indicates that the peer appliance is no longer connected to the SteelHead controller because:
The connectivity between the peer appliance and the SteelHead controller is lost.
The SSL for the connection is not configured correctly.
Registration with Controller Unsuccessful - Indicates that the peer appliance is not registered with the SteelHead controller, and the controller does not recognize it as a member of the secure transport group.
By default, this alarm is enabled.
Secure Vault
Enables an alarm and sends an email notification if the system encounters a problem with the secure vault:
Secure Vault Locked - Indicates that the secure vault is locked. To optimize SSL connections or to use RiOS data store encryption, the secure vault must be unlocked. Go to Administration > Security: Secure Vault and unlock the secure vault.
Secure Vault New Password Recommended - Indicates that the secure vault requires a new, nondefault password. Reenter the password.
Secure Vault Not Initialized - Indicates that an error has occurred while initializing the secure vault. When the vault is locked, SSL traffic is not optimized and you cannot encrypt the RiOS data store. For details, see Unlocking the secure vault.
By default, this alarm is enabled.
Server Backup
Enables an alarm and sends a notification if the system encounters one of these issues with server-based backups:
Failed connection to the server - Indicates that the connection between the Edge and the ESXi server or vCenter is down, the server is not running, or there are incorrect credentials for the ESXi or vCenter server login.
Backup failure on the Edge - Indicates that a backup has failed on the Edge. The alarm displays a message with the affected server.
LUN is shared among multiple ESXi servers - Indicates that a server is sharing a LUN with other servers.
Server with a backup policy does not have a LUN - Indicates that a server with an associated backup policy does not have any VMs or LUNs to protect.
Snapshot
Enables an alarm if a snapshot fails to be commit to the SAN, or a snapshot fails to complete due to Windows timing out.
By default, this alarm is enabled.
Software Compatibility
Enables an alarm and sends an email notification if the system encounters a problem with software compatibility:
Peer Mismatch - Needs Attention - Indicates that the appliance has encountered another appliance that is running an incompatible version of system software. Refer to the CLI, Management Console, or the SNMP peer table to determine which appliance is causing the conflict. Connections with that peer will not be optimized, connections with other peers running compatible RiOS versions are unaffected.
Software Version Mismatch - Degraded - Indicates that the appliance is running an incompatible version of system software.
By default, this alarm is enabled.
SSL
Enables an alarm if an error is detected in your SSL configuration. For details about checking your settings, see Configuring SSL main settings.
Non-443 SSL Servers - Indicates that during a RiOS upgrade (for example, from 8.5 to 9.0), the system has detected a preexisting SSL server certificate configuration on a port other than the default SSL port 443. SSL traffic might not be optimized. To restore SSL optimization, you can add an in-path rule to the client-side appliance to intercept the connection and optimize the SSL traffic on the nondefault SSL server port.
After adding an in-path rule, you must clear this alarm manually by entering this command:
stats alarm non_443_ssl_servers_detected_on_upgrade clear
 
SSL Certificates Error (SSL CAs) - Indicates that an SSL peering certificate has failed to reenroll automatically within the Simple Certificate Enrollment Protocol (SCEP) polling interval.
SSL Certificates Error (SSL Peering CAs) - Indicates that an SSL peering certificate has failed to reenroll automatically within the Simple Certificate Enrollment Protocol (SCEP) polling interval.
SSL Certificates Expiring - Indicates that an SSL certificate is about to expire.
SSL Certificates SCEP - Indicates that an SSL certificate has failed to reenroll automatically within the SCEP polling interval.
By default, this alarm is enabled.
SteelFusion Core
Enables an alarm if the system encounters any of these issues with the SteelFusion Core:
The Edge device has connected to a Core that does not recognize the Edge device.
The Edge does not have an active connection with the Core.
The data channel between Core and the Edge is down.
The connection between the Core and the Edge has stalled.
By default, this alarm is enabled.
SteelFusion Protocol Service
Enables an alarm and sends an email notification if an iSCSI protocol error is preventing a LUN on the Edge from being discovered by the clients (for example, ESXi).
 
Storage Volume Status
Enables an alarm and sends an email notification if the connection to the volume has failed or there is an issue with:
Backend connectivity
No read/write permissions
Space threshold has been reached
A LUN is deactivated. A LUN will be deactivated if the blockstore has a critical amount of low space and this particular LUN has a high rate of new writes.
Initialization of the blockstore for the LUN fails.
Connectivity issues between Edge and Core.
By default, this alarm is enabled.
System Detail Report
Enables an alarm if a system component has encountered a problem.
By default, this alarm is disabled.
Temperature
Critical Temperature - Enables an alarm and sends an email notification if the CPU temperature exceeds the rising threshold. When the CPU returns to the reset threshold, the critical alarm is cleared. The default value for the rising threshold temperature is 70ºC; the default reset threshold temperature is 67ºC.
Warning Temperature - Enables an alarm and sends an email notification if the CPU temperature approaches the rising threshold. When the CPU returns to the reset threshold, the warning alarm clears.
Rising Threshold - Specifies the rising threshold. The alarm activates when the temperature exceeds the rising threshold. The default value is 70 percent.
Reset Threshold - Specifies the reset threshold. The alarm clears when the temperature falls below the reset threshold. The default value is 67 percent.
After the alarm triggers, it cannot trigger again until after the temperature falls below the reset threshold and then exceeds the rising threshold again.
By default, this alarm is enabled.
Uncommitted Edge Data
Enables an alarm when a large amount of data in the blockstore needs to be committed to SteelFusion Core. The difference between the contents of the blockstore and the SteelFusion Core-side NFS export is significant. This alarm checks for how much uncommitted data is in the Edge cache as a percentage of the total cache size.
This alarm triggers when the appliance writes a large amount of data very quickly, but the WAN pipe is not large enough to get the data back to the SteelFusion Core fast enough to keep the uncommitted data percentage below 5 percent. As long as data is being committed, the cache will flush eventually.
The threshold is 5 percent, which for a 4 TiB (1260-4) system is 200 GiB. To change the threshold, use this command:
[failover-peer] edge id <id> blockstore uncommitted [trigger-pct <percentage>] [repeat-pct <percentage>] [repeat-interval <minutes>]
 
For example:
Core3(config) # edge id Edge2 blockstore uncommitted trigger-pct 50 repeat-pct 25 repeat-interval 5
 
For details on the CLI command, see the SteelFusion Command-Line Interface Reference Manual.
To check that data is being committed, go to Storage > Reports: Blockstore Metrics on the Edge.
By default, this alarm is enabled.
Virtualization
Hypervisor - Enables an alarm when a problem occurs with the hypervisor.
 
License - Enables an alarm when the hypervisor license has expired.
 
Operation - Enables an alarm when the hypervisor operation is degraded and is in lockdown mode.
 
Virtual Services Platform - Enables an alarm when a communication issue occurs between VSP and the hypervisor.
 
Connection - Enables an alarm when the hypervisor is not communicating for any of these issues:
VSP is disconnected from the hypervisor.
The hypervisor password is invalid.
VSP was unable to gather some hardware information.
VSP is disconnected.
 
Installation - Enables an alarm when VSP is not installed properly and is powered off for any of these issues:
A hypervisor upgrade has failed.
A configuration set from the installer has failed to be applied to the hypervisor.
VSP could not gather enough information to set up an interface.
The hypervisor is not installed.
VMRS File Size on Hyper-V
Note: This alarm is available only in Virtual Edge on Hyper-V deployments.
Enables an alarm and sends an email notification if large VMRS files will be created on Hyper-V after performing a snapshot operation on the guest VMs.
The large VMRS file size on Hyper-V after a snapshot operation can be caused by one of these conditions:
Hyper-V Integration Services is not up to date on the VM.
Hyper-V Integration Services is up to date, but the VM is in the Paused or Saved state.
Hyper-V Integration Services is up to date, but the VSS service is not running on the VM.
By default, this alarm is enabled.
Web Proxy
Web Proxy Service - Configuration - Enables an alarm when an error occurs with the web proxy configuration.
Web Proxy Service - Service Status - Enables an alarm when an error occurs with the web proxy service. By default, this alarm is enabled.
3. Click Apply to apply your changes to the running configuration.
4. Click Save to save your settings permanently.
Related topics
Configuring email settings
Configuring SNMP settings
Viewing process dumps
Setting announcements
You can create or modify a login message or a message of the day. The login message appears in the Management Console Login page. The message of the day appears in the Dashboard and when you first log in to the CLI.
To set an announcement
1. Choose Administration > System Settings: Announcements to display the Announcements page.
Announcements page
2. Use the controls to complete the configuration as described in this table.
 
Control
Description
Login Message
Specify a message in the text box to appear in the Login page.
MOTD
Specify a message in the text box to appear in the Dashboard.
3. Click Apply to view the message before saving.
4. Click Save to save your settings permanently.
Configuring email settings
You can set email notification parameters for events and failures in the Administration > System Settings: Email page.
By default, email addresses are not specified for event and failure notification.
To set event and failure email notification
1. Choose Administration > System Settings: Email to display the Email page.
Email page
2. Under Email Notification, complete the configuration as described in this table.
Control
Description
SMTP Server
Specify the SMTP server. You must have external DNS and external access for SMTP traffic for this feature to function.
Note: Make sure you provide a valid SMTP server to ensure that the users you specify receive email notifications for events and failures.
SMTP Port
Specify the port number for the SMTP server. Typically you don’t need to change the default port 25.
Report Events via Email
Select this option to report alarm events through email. Specify a list of email addresses to receive the notification messages. Separate addresses by spaces, semicolons, commas, or vertical bars.
These alarms are events:
Admission control
CPU utilization (rising threshold, reset threshold)
Temperature (rising threshold, reset threshold)
Data store wrap frequency
Domain authentication alert
Network interface duplex errors
Network interface link errors
Fan error
Flash error
Hardware error
IPMI
Licensing
Memory error
Neighbor incompatibility
Network bypass
NFS V2/V4 alarm
Non-SSL servers detected on upgrade
Optimization service (general service status, optimization service)
Extended memory paging activity
Secure vault
System disk full
Software version mismatch
Storage profile switch failed
TCP Stop Trigger scan has started
Asymmetric routes
Expiring SSL certificates
SSL peering certificate SCEP automatic re-enrollment
Connection forwarding (ACK timeout, failure, lost EOS, lost ERR, keepalive timeout, latency exceeded, read info timeout)
Prepopulation or Proxy File Service
Report Failures via Email
Select this option to report alarm failures through email. Specify a list of email addresses to receive the notification messages. Separate addresses by spaces, semicolons, commas, or vertical bars.
These alarms are failures:
Data store corruption
System details report
Domain join error
RAID
Optimization service - unexpected halt
Critical temperature
Disk error
SSD wear warning
Override Default Sender’s Address
Select this option to configure the SMTP protocol for outgoing server messages for errors or events. Specify a list of email addresses to receive the notification messages. Separate addresses by commas.
You can also configure the outgoing email address sent to the client recipients. The default outgoing address is do-not-reply@hostname.domain. If you don’t specify a domain the default outgoing email is do-not-reply@hostname.
You can configure the host and domain settings in the Networking > Networking: Host Settings page.
Report Failures to Technical Support
Select this option to report serious failures such as system crashes to Riverbed Support.
We recommend that you activate this feature so that problems are promptly corrected.
Note: This option doesn’t automatically report a disk drive failure. In the event of a disk drive failure, please contact Riverbed Support at support@riverbed.com.
3. Click Apply to apply your changes to the running configuration.
4. Click Save to save your settings permanently.
Related topic
Configuring alarm settings
Configuring log settings
You set up local and remote logging in the Administration > System Settings: Logging page.
By default, the system rotates each log file every 24 hours or if the file size reaches one GB uncompressed. You can change this to rotate every week or month and you can rotate the files based on file size.
The automatic rotation of system logs deletes your oldest log file, labeled as Archived log #10, pushes the current log to Archived log # 1, and starts a new current-day log file.
To set up logging
1. Choose Administration > System Settings: Logging to display the Logging page.
Log Settings page
2. To rotate the logs manually, under Log Actions, click Rotate Logs. After the logs are rotated, this message appears:
logs successfully rotated
When you click Rotate Logs, your archived file #1 contains data for a partial day because you are writing a new log before the current 24-hour period is complete.
3. Under Logging Configuration, complete the configuration as described in this table.
Control
Description
Minimum Severity
Select the minimum severity level for the system log messages. The log contains all messages with this severity level or higher. Select one of these levels from the drop-down list:
Emergency - Emergency, the system is unusable.
Alert - Action must be taken immediately.
Critical - Conditions that affect the functionality of the SteelHead.
Error - Conditions that probably affect the functionality of the SteelHead.
Warning - Conditions that could affect the functionality of the SteelHead, such as authentication failures.
Notice - Normal but significant conditions, such as a configuration change. This is the default setting.
Info - Informational messages that provide general information about system operations.
Note: This control applies to the system log only. It doesn’t apply to the user log.
Maximum Number of Log Files
Specify the maximum number of logs to store. The default value is 10.
Lines Per Log Page
Specify the number of lines per log page. The default value is 100.
Rotate Based On
Specifies the rotation option:
Time - Select Day, Week, or Month from the drop-down list. The default setting is Day.
Disk Space - Specify how much disk space, in megabytes, the log uses before it rotates. The default value is 16 MB.
Note: The log file size is checked at 10-minute intervals. If there’s an unusually large amount of logging activity, it’s possible for a log file to grow larger than the set disk space limit in that period of time.
4. Click Apply to apply your changes to the running configuration.
5. Click Save to save your settings permanently.
To add or remove a log server
Control
Description
Add a New Log Server
Displays the controls for configuring new log servers.
Server IP
Specify the server IP address.
Minimum Severity
Select the minimum severity level for the log messages. The log contains all messages with this severity level or higher. Select one of these levels from the drop-down list:
Emergency - Emergency, the system is unusable.
Alert - Action must be taken immediately.
Critical - Conditions that affect the functionality of the SteelHead.
Error - Conditions that probably affect the functionality of the SteelHead.
Warning - Conditions that could affect the functionality of the SteelHead, such as authentication failures.
Notice - Normal but significant conditions, such as a configuration change. This is the default setting.
Info - Informational messages that provide general information about system operations.
Add
Adds the server to the list.
Remove Selected
Select the check box next to the name and click Remove Selected.
6. Click Save to save your settings permanently.
Filtering logs by application or process
You can filter a log by one or more applications or one or more processes. This is particularly useful when capturing data at a lower severity level where an appliance might not be able to sustain the flow of logging data the service is committing to disk.
To filter a log
1. Choose Administration > System Settings: Logging to display the Logging page.
Filtering a log
2. Under Per-Process Logging, complete the configuration as described in this table.
Control
Description
Add a New Process Logging Filter
Displays the controls for adding a process level logging filter.
Process
Select a process to include in the log from the drop-down list:
alarmd - Alarm control and management.
cifs - CIFS Optimization.
cmcfc - CMC automatic registration utility.
rgp - SCC connector, which handles SCC appliance communication.
rgpd - SCC client daemon, the connection manager.
cli - Command-line interface.
mgmtd - Device control and management, which directs the entire device management system and VSP. It handles message passing between various management daemons, managing system configuration and general application of system configuration on the hardware underneath through the hald.
http - HTTP optimization.
hald - Hardware Abstraction Daemon, which handles access to the RiOS hardware and also provides software access to these hypervisor modules: HYP BMC, HYP power control, and HYP sensors.
notes - Lotus Notes optimization.
mapi - MAPI optimization.
nfs - NFS optimization.
pm - Process Manager, which handles launching of internal system daemons and keeps them up and running.
sched - Process Scheduler, which handles one-time scheduled events.
statsd - Statistics Collector, which handles queries and storage of system statistics.
wdt - Watchdog Timer, the motherboard watchdog daemon.
webasd - Web Application Process, which handles the web user interface.
domain auth - Windows Domain Authentication.
Minimum Severity
Select the minimum severity level for the log messages. The log contains all messages with this severity level or higher. Select one of these levels from the drop-down list:
Emergency - Emergency, the system is unusable.
Alert - Action must be taken immediately.
Critical - Conditions that affect the functionality of the appliance.
Error - Conditions that probably affect the functionality of the appliance.
Warning - Conditions that could affect the functionality of the appliance, such authentication failures.
Notice - Normal but significant conditions, such as a configuration change. This is the default setting.
Info - Informational messages that provide general information about system operations.
Add
Adds the filter to the list. The process now logs at the selected severity and higher level.
Remove Selected
Select the check box next to the name and click Remove Selected to remove the filter.
3. Click Apply to apply your changes to the running configuration.
4. Click Save to save your settings permanently.
Configuring the date and time
You set the system date and time in the Administration > System Settings: Date/Time page.
You can either set the system date and time by entering it manually or assigning an NTP server to the appliance. By default, the appliance uses the Riverbed-provided NTP server and these public NTP servers:
0.riverbed.pool.ntp.org
1.riverbed.pool.ntp.org
2.riverbed.pool.ntp.org
3.riverbed.pool.ntp.org
To set the date and time manually
1. Choose Administration > System Settings: Date/Time to display the Date/Time page.
Date/Time page
2. Under Date and Time, click Set Time Manually.
3. Complete the configuration as described in this table.
Control
Description
Time Zone
Select a time zone from the drop-down list. The default value is GMT.
Note: If you change the time zone, log messages retain the previous time zone until you reboot.
Change Date
Specify the date in this format: yyyy/mm/dd.
Change Time
Specify military time in this format: hh:mm:ss.
4. Click Apply to apply your changes to the running configuration.
5. Click Save to save your settings permanently.
To use Network Time Protocol (NTP) time synchronization
1. Choose Administration > System Settings: Date/Time to display the Date/Time page.
2. Under Date and Time, select Use NTP Time Synchronization.
As a best practice, configure your own internal NTP servers; however, you can use the Riverbed-provided NTP server and public NTP servers. The hard-coded IP address that is preconfigured into every Edge is 208.70.196.25. This IP address and the public NTP servers are enabled by default and appear in the requested NTP server list.
Current NTP server status
NTP server state information appears in these server tables:
Requested NTP server table - Displays all of the configured NTP server addresses.
Connected NTP server table - Displays all of the servers to which the appliance is actually connected.
When you request a connection to an NTP server in a public NTP server pool, the server IP address does not map to the actual NTP server to which the appliance connects. For example, if you request *.riverbed.pool.ntp.org, querying the pool address does not return the IP address of the pool hostname, but instead returns the IP address of an NTP server within its pool. For example, when resolving 0.riverbed.pool.ntp.org returns the first NTP server, the connected NTP server table displays the IP address of this first NTP server.
This information appears after an NTP server name:
Authentication information; unauthenticated appears after the server name when it is not using authentication.
When RiOS has no NTP information about the current server, nothing appears.
NTP authentication
NTP authentication verifies the identity of the NTP server sending timing information to the appliance. RiOS supports MD5-based Message-Digest Algorithm symmetric keys and Secure Hash Algorithm (SHA1) for NTP authentication. MD5 is a widely used cryptographic hash function that produces a 128-bit (16-byte) hash value. SHA1 is a set of related cryptographic hash functions. SHA1 is considered to be the successor to MD5.
NTP authentication is optional.
Configuring NTP authentication involves these tasks that you can perform in any order:
Configure a key ID and a secret pair.
Configure the key type.
Configure the NTP server with the key ID.
NTP servers
The default NTP configuration points to the Riverbed-provided NTP server IP address 208.70.196.25 and these public NTP servers:
0.riverbed.pool.ntp.org
1.riverbed.pool.ntp.org
2.riverbed.pool.ntp.org
3.riverbed.pool.ntp.org
We recommend synchronizing the appliance to an NTP server of your choice.
To add an NTP server
1. Choose Administration > System Settings: Date/Time to display the Date/Time page.
2. Under Requested NTP servers, complete the configuration as described in this table.
Control
Description
Add a New NTP Server
Displays the controls to add a server.
Hostname or IP Address
Specify the hostname or IP address for the NTP server. You can connect to an NTP public server pool: for example, 0.riverbed.pool.ntp.org.
When you add an NTP server pool, the server is selected from a pool of time servers.
Starting with RiOS 9.5, you can use IPv6 addresses.
Version
Select the NTP server version from the drop-down list: 3 or 4.
Enabled/Disabled
Select Enabled from the drop-down list to connect to the NTP server. Select Disabled from the drop-down list to disconnect from the NTP server.
Key ID
Specify the MD5 or SH1 key identifier to use to authenticate the NTP server. The valid range is from 1 to 65534. The key ID must appear on the trusted keys list.
Add
Adds the NTP server to the server list.
Remove Selected
Select the check box next to the name and click Remove Selected.
3. Click Save to save your settings permanently.
NTP authentication keys
NTP authentication uses a key and a shared secret to verify the identity of the NTP server sending timing information to the appliance. RiOS encrypts the shared secret text using MD5 or SHA1, and uses the authentication key to access the secret.
To add an NTP authentication key
1. Under NTP Authentication Keys, choose Administration > System Settings: Date/Time to display the Date/Time page.
2. Complete the configuration as described in this table.
Control
Description
Add a New NTP Authentication Key
Displays the controls to add an authentication key to the key list. Both trusted and untrusted keys appear on the list.
Key ID
Optionally, specify the secret MD5 or SHA1 key identifier for the NTP server. The valid range is from 1 to 65534.
Key Type
Select the authentication key type: MD5 or SHA1.
Secret
Specify the shared secret. You must configure the same shared secret for both the NTP server and the NTP client.
The MD5 shared secret:
is limited to 16 alphanumeric characters or fewer, or exactly 40 characters hexadecimal.
can’t include spaces or pound signs (#)
can’t be empty
is case sensitive
The SHA1 shared secret:
is limited to exactly 40 characters hexadecimal
can’t include spaces or pound signs (#)
can’t be empty
is case sensitive
The secret appears in the key list as its MD5 or SHA1 hash value.
Add
Adds the authentication key to the trusted keys list.
Remove Selected
Select the check box next to the name and click Remove Selected.
3. Click Save to save your settings permanently.
NTP key information
NTP keys appear in a list that includes the key ID, type, secret (displays as the MD5 or SHA1 hash value), and whether RiOS trusts the key for authentication.
You can only remove a key from the trust list using the ntp authentication trustedkeys command. For details, see the Riverbed Command-Line Interface Reference Manual.
Configuring monitored ports
You set the TCP ports to monitor in the Administration > System Settings: Monitored Ports page. The ports you specify appear in the Traffic Summary report. Make sure the description you specify helps you identify the type of traffic on the port.
The appliance automatically discovers all the ports in the system that have traffic. Discovered ports, with a label (if one exists), are added to the Traffic Summary report. If a label does not exist, then an unknown label is added to the discovered port. To change the unknown label to a name representing the port, you must add the port with a new label. All statistics for this new port label are preserved from the time the port was discovered.
For details, see Viewing traffic summary reports.
By default, traffic is monitored on ports 21 (FTP), 80 (HTTP), 135 (EPM), 139 (CIFS:NetBIOS), 443 (SSL), 445 (CIFS:TCP), 1352 (Lotus Notes), 1433 (SQL:TDS), 1748 (SRDF), 3225 (FCIP), 3226 (FCIP), 3227 (FCIP), 3228 (FCIP), 7830 (MAPI), 7919 (IP Blade), 8777 (RCU), 8778 (SMB Signed), 8779 (SMB2), 8780 (SMB2 Signed), 8781 (SMB3), 8782 (SMB3 Signed), 8783 (SMB3 Encrypted), and 10566 (SnapMirror).
To set monitored ports
1. Choose Administration > System Settings: Monitored Ports to display the Monitored Ports page.
Monitored Ports page
2. Complete the configuration as described in this table.
Control
Description
Add Port
Displays the controls to add a new port.
Port Number
Specify the port to be monitored.
Port Description
Specify a description of the type of traffic on the port.
Add
Displays the controls for adding a port.
Remove Selected
Select the check box next to the name and click Remove Selected.
3. To modify a monitored port, click the right arrow next to the port and complete the configuration as described in this table.
Control
Description
Port Description
Specify a description of the type of traffic on the port.
Apply
Applies your settings to the running configuration.
4. Click Save to save your settings permanently.
Configuring SNMP settings
You configure SNMP contact and trap receiver settings to allow events to be reported to an SNMP entity in the Administration > System Settings: SNMP Basic page.
Traps are messages sent by an SNMP entity that indicate the occurrence of an event. The default system configuration does not include SNMP traps.
RiOS provides support for these SNMP versions:
SNMPv1
SNMPv2c
SNMPv3, which provides authentication through the User-based Security Model (USM).
View-Based Access Control Mechanism (VACM), which provides richer access control.
SNMPv3 authentication using AES 128 and DES encryption privacy.
You set the default community string in the SNMP Basic page.
To set general SNMP parameters
1. Choose Administration > System Settings: SNMP Basic to display the SNMP Basic page.
SNMP Basic page
2. Under SNMP Server Settings, complete the configuration as described in this table.
Control
Description
Enable SNMP Traps
Enables event reporting to an SNMP entity.
System Contact
Specify the username for the SNMP contact.
System Location
Specify the physical location of the SNMP system.
Read-Only Community String
Specify a password-like string to identify the read-only community: for example, public. This community string overrides any VACM settings.
Community strings can’t contain the pound sign (#).
3. Click Apply to apply your changes to the running configuration.
4. Click Save to save your settings permanently.
To add or remove a trap receiver
Control
Description
Add a New Trap Receiver
Displays the controls to add a new trap receiver.
Receiver
Specify the destination IPv4 or IPv6 address or hostname for the SNMP trap.
Destination Port
Specify the destination port.
Receiver Type
Select SNMP v1, v2c, or v3 (user-based security model).
Remote User
(Appears only when you select v3.) Specify a remote username.
Authentication
(Appears only when you select v3). Optionally, select either Supply a Password or Supply a Key to use while authenticating users.
Authentication Protocol
(Appears only when you select v3.) Select an authentication method from the drop-down list:
MD5 - Specifies the Message-Digest 5 algorithm, a widely used cryptographic hash function with a 128-bit hash value. This is the default value.
SHA - Specifies the Secure Hash Algorithm, a set of related cryptographic hash functions. SHA is considered to be the successor to MD5.
Password/Password Confirm
(Appears only when you select v3 and Supply a Password.) Specify a password. The password must have a minimum of eight characters. Confirm the password in the Password Confirm text box.
Security Level
(Appears only when you select v3.) Determines whether a single atomic message exchange is authenticated. Select one of these levels from the drop-down list:
No Auth - Doesn’t authenticate packets and doesn’t use privacy. This is the default setting.
Auth - Authenticates packets but doesn’t use privacy.
AuthPriv - Authenticates packets using AES 128 and DES to encrypt messages for privacy.
Note: A security level applies to a group, not to an individual user.
Privacy Protocol
(Appears only when you select v3 and AuthPriv.) Select either the AES or DES protocol from the drop-down list. AES uses the AES128 algorithm.
Privacy
(Appears only when you select v3 and AuthPriv.) Select Same as Authentication Key, Supply a Password, or Supply a Key to use while authenticating users. The default setting is Same as Authentication Key.
Privacy Password
(Appears only when you select v3 and Supply a Password.) Specify a password. The password must have a minimum of eight characters. Confirm the password in the Privacy Password Confirm text box.
MD5/SHA Key
(Appears only when you select v3 and Authentication as Supply a Key.) Specify a unique authentication key. The key is either a 32-hexadecimal digit MD5 or a 40-hexadecimal digit SHA digest created using md5sum or sha1sum.
Privacy MD5/SHA Key
(Appears only when you select v3 and Privacy as Supply a Key.) Specify the privacy authentication key. The key is either a 32-hexadecimal digit MD5 or a 40-hexadecimal digit SHA digest created using md5sum or sha1sum.
Community
For v1 or v2 trap receivers, specify the SNMP community name. For example, public or private v3 trap receivers need a remote user with an authentication protocol, a password, and a security level.
Enable Receiver
Select to enable the new trap receiver. Clear to disable the receiver.
Add
Adds a new trap receiver to the list.
Remove Selected
Select the check box next to the name and click Remove Selected.
To test an SNMP trap
1. Choose Administration > System Settings: SNMP Basic to display the SNMP Basic page.
2. Under SNMP Trap Test, click Run.
Configuring SNMPv3
SNMPv3 provides additional authentication and access control for message security. For example, you can verify the identity of the SNMP entity (manager or agent) sending the message.
RiOS supports SNMPv3 message encryption for increased security.
Using SNMPv3 is more secure than SNMPv1 or v2; however, it requires more configuration steps to provide the additional security features.
Basic steps
1. Create the SNMP-server users. Users can be authenticated using either a password or a key.
2. Configure SNMP-server views to define which part of the SNMP MIB tree is visible.
3. Configure SNMP-server groups, which map users to views, allowing you to control who can view what SNMP information.
4. Configure the SNMP-server access policies that contain a set of rules defining access rights. Based on these rules, the entity decides how to process a given request.
To create users for SNMPv3
1. Choose Administration > System Settings: SNMP v3 to display the SNMP v3 page.
SNMP v3 page
2. Under Users, complete the configuration as described in this table.
Control
Description
Add a New User
Displays the controls to add a new user.
User Name
Specify the username.
Authentication Protocol
Select an authentication method from the drop-down list:
MD5 - Specifies the Message-Digest 5 algorithm, a widely used cryptographic hash function with a 128-bit hash value. This is the default value.
SHA - Specifies the Secure Hash Algorithm, a set of related cryptographic hash functions. SHA is considered to be the successor to MD5.
Authentication
Optionally, select either Supply a Password or Supply a Key to use while authenticating users.
Password/Password Confirm
Specify a password. The password must have a minimum of eight characters. Confirm the password in the Password Confirm text box.
Use Privacy Option
Select to use SNMPv3 encryption.
Privacy Protocol
Select either the AES or DES protocol from the drop-down list. AES uses the AES128 algorithm.
Privacy
Select Same as Authentication, Supply a Password, or Supply a Key to use while authenticating users. The default setting is Same as Authentication.
Privacy Password
(Appears only when you select Supply a Password.) Specify a password. The password must have a minimum of eight characters. Confirm the password in the Privacy Password Confirm text box.
Key
(Appears only when you select Supply a Key.) Specify a unique authentication key. The key is an MD5 or SHA-1 digest created using md5sum or sha1sum.
MD5/SHA Key
(Appears only when you select Supply a Key.) Specify a unique authentication key. The key is either a 32-hexadecimal digit MD5 or a 40-hexadecimal digit SHA digest created using md5sum or sha1sum.
Add
Adds the user.
Remove Selected
Select the check box next to the name and click Remove Selected.
3. Click Save to save your settings permanently.
SNMP authentication and access control
The features in this page apply to SNMPv1, v2c, and v3 unless noted otherwise:
Security Names - Identify an individual user (v1 or v2c only).
Secure Groups - Identify a security name, security model by a group, and referred to by a group name.
Secure Views - Create a custom view using the VACM that controls who can access which MIB objects under agent management by including or excluding specific OIDs. For example, some users have access to critical read-write control data, while some users have access only to read-only data.
Security Models - A security model identifies the SNMP version associated with a user for the group in which the user resides.
Secure Access Policies - Defines who gets access to which type of information. An access policy is composed of <group-name, security-model, security-level, read-view-name>.
read-view-name is a preconfigured view that applies to read requests by this security-name.
write-view-name is a preconfigured view that applies to write requests by this security-name.
notify-view-name is a preconfigured view that applies to write requests to this security-name.
An access policy is the configurable set of rules, based on which the entity decides how to process a given request.
To set secure usernames
1. Choose Administration > System Settings: SNMP ACLs to display the SNMP ACLs page.
SNMP ACLs page - Security Names
2. Under Security Names, complete the configuration as described in this table.
Control
Description
Add a New Security Name
Displays the controls to add a security name.
Security Name
Specify a name to identify a requestor allowed to issue gets and sets (v1 and v2c only). The specified requestor can make changes to the view-based access-control model (VACM) security name configuration.
This control doesn’t apply to SNMPv3 queries. To restrict v3 USM users from polling a particular subnet, use the RiOS Management ACL feature, located in the Administration > Security: Management ACL page.
Traps for v1 and v2c are independent of the security name.
Community String
Specify the password-like community string to control access. Use a combination of uppercase, lowercase, and numerical characters to reduce the chance of unauthorized access to the SteelHead.
Community strings don’t allow printable 7-bit ASCII characters, except for white spaces. Also, the community strings can’t begin with a pound sign (#) or a hyphen (-).
If you specify a read-only community string (located in the SNMP Basic page under SNMP Server Settings), it takes precedence over this community name and allows users to access the entire MIB tree from any source host. If this is not desired, delete the read-only community string.
To create multiple SNMP community strings on a SteelHead, leave the default public community string and then create a second read-only community string with a different security name. Or, you can delete the default public string and create two new SNMP ACLs with unique names.
Source IP Address and Mask Bits
Specify the host IPv4 or IPv6 address and mask bits to which you permit access using the security name and community string.
Add
Adds the security name.
Remove Selected
Select the check box next to the name and click Remove Selected.
3. Click Apply to apply your changes to the running configuration.
4. Click Save to save your settings permanently.
To set secure groups
1. Choose Administration > System Settings: SNMP ACLs to display the SNMP ACLs page.
SNMP ACLs page - Groups
Control
Description
Add a New Group
Displays the controls to add a new group.
Group Name
Specify a group name.
Security Models and Name Pairs
Click the + button and select a security model from the drop-down list:
v1 or v2c - Displays another drop-down list. Select a security name.
v3 (usm) - Displays another drop-down list. Select a user.
To add another Security Model and Name pair, click the plus sign (+).
Add
Adds the group name and security model and name pairs.
Remove Selected
Select the check box next to the name and click Remove Selected.
2. Click Save to save your settings permanently.
To set secure views
1. Choose Administration > System Settings: SNMP ACLs to display the SNMP ACLs page.
SNMP ACLs page - Views
2. Under Views, complete the configuration as described in this table.
Control
Description
Add a New View
Displays the controls to add a new view.
View Name
Specify a descriptive view name to facilitate administration.
Includes
Specify the Object Identifiers (OIDs) to include in the view, separated by commas. For example, .1.3.6.1.4.1. By default, the view excludes all OIDs.
You can specify .iso or any subtree or subtree branch.
You can specify an OID number or use its string form. For example, .iso.org.dod.internet.private.enterprises.rbt.products.steelhead.system.model
Excludes
Specify the OIDs to exclude in the view, separated by commas. By default, the view excludes all OIDs.
Add
Adds the view.
Remove Selected
Select the check box next to the name and click Remove Selected.
3. Click Apply to apply your changes to the running configuration.
4. Click Save to save your settings permanently.
To add an access policy
1. Choose Administration > System Settings: SNMP ACLs to display the SNMP ACLs page.
SNMP ACLs page
2. Under Access Policies, complete the configuration as described in this table.
Control
Description
Add a New Access Policy
Displays the controls to add a new access policy.
Group Name
Select a group name from the drop-down list.
Security Level
Determines whether a single atomic message exchange is authenticated. Select one of these from the drop-down list:
No Auth - Doesn’t authenticate packets and doesn’t use privacy. This is the default setting.
Auth - Authenticates packets but doesn’t use privacy.
AuthPriv - Authenticates packets using AES or DES to encrypt messages for privacy.
A security level applies to a group, not to an individual user.
Read View
Select a view from the drop-down list.
Add
Adds the policy to the policy list.
Remove Selected
Select the check box next to the name and click Remove Selected.
3. Click Apply to apply your changes to the running configuration.
4. Click Save to save your settings permanently.
Enabling communication with host hypervisor
This feature is available only in Virtual Edge on Hyper-V deployments.
You can monitor host hypervisor version, connectivity, and system resources (CPU and memory) allocated to the Virtual Edge VM on Hyper-V. Virtual Edge communicates with Hyper-V through the Windows Remote Management (WinRM) protocol. WinRM is enabled during Virtual Edge installation. Do not disable WinRM.
Host hypervisor credentials
To enable communication between Virtual Edge and Hyper-V, add the host hypervisor credential details such as hostname, username, and password in Virtual Edge.
To add host hypervisor credentials
1. In the Management Console, choose Administration > Host Hypervisor: Configuration to display the Host Credentials page.
Host Credentials page
2. Specify the hostname of the host hypervisor.
3. Specify the username and password.
4. Click Save to save the host hypervisor details.
The host hypervisor connectivity status is displayed in the Credentials pane.
5. Optional: Click Refresh to refresh the information obtained from the host hypervisor.
Host hypervisor alarms
The host hypervisor alarms are available only in Virtual Edge on Hyper-V deployments.
Host hypervisor alarms are raised during system errors and high usage of resources. To view and monitor the alarms, add the hypervisor details and enable communication between Virtual Edge and Hyper-V. You can set the alarms in the Administration > System Settings: Alarms page. Enabling alarms is optional. For more information about enabling the alarms, see the SteelFusion Edge User Guide.
To view and monitor host hypervisor alarms
In the Management Console, choose Administration > Host Hypervisor: Alarms to display the Alarms page.
The hypervisor alarms are listed in the Alarms page with their corresponding status. You can also choose Administration > Diagnostics: Alarm Status to display the Alarms page and view these alarms under the Host Hypervisor section.
Alarms page
The table summarizes the alarms displayed in the Alarms page.
Control
Description
CPU
Indicates whether or not the CPU capacity and cores reserved for the Virtual Edge VM hosted on Hyper-V are sufficient to support Virtual Edge operations.
Host Connection
Indicates whether or not the connectivity to the host Hyper-V is established with the Virtual Edge VM. The reason for connection failure is specified in the alarm description.
Host Hypervisor Version
Indicates whether or not the host hypervisor is running an OS version that is supported by Virtual Edge.
Memory
Indicates whether or not the memory reserved for the Virtual Edge VM hosted on Hyper-V is sufficient to support Virtual Edge operations. The alarm is also raised if the memory allocation is dynamic.