000037108 - RSA NetWitness 11.x 10g card RMA for Series 5 Decoder

Document created by RSA Customer Support Employee on Apr 8, 2019
Version 1Show Document
  • Comment0
  • View in full screen mode

Article Content

Article Number000037108
Applies ToRSA Product Set: NetWitness Logs and Packets
RSA Product/Service Type: NetWitness 11.1.x, 11.2.x
Series 5 Decoder with 4 port 10g card
 
IssueWhen replacing the 10g card, the MAC ID's that are presently stored in the O/S become obsolete and must be changed to represent new MAC ID's. However, the device is not immediately accessible via SSH. The only option to access the device is via iDRAC. Any ethernet ports on board will not be in use due to the 10g card containing ethernet ports. 



 
 


 
CauseThe 10g RMA caused all ethernet and fiber ports to be inaccessible due to MAC ID changes.
 
Resolution
  1. Make note of the MAC ID's contained within: /etc/udev/rules.d/ 71-biosdevname.rules

    [root@packetdecoder]# cat /etc/udev/rules.d/71-biosdevname.rules

  2. Log into the iDRAC and make note of the MAC ID's contained within 'Network'...the MAC ID's are displayed when you expand each '+' next to the Interface name.
        User-added image
     
  3. Use' dmesg' and grep the iDRAC 'MAC ID' to find the format, likely defaulted to eth0 and eth1. 

    [root@packetdecoder]# dmesg | grep ec:f4:bb
    [    3.112017] igb 0000:06:00.0: eth0: (PCIe:5.0Gb/s:Width x2) ec:f4:bb:ee:f5:cc
    [    3.176824] igb 0000:06:00.1: eth1: (PCIe:5.0Gb/s:Width x2) ec:f4:bb:ee:f5:cd
    [    3.440435] ixgbe 0000:01:00.0: ec:f4:bb:ee:f5:c8
    [    3.975410] ixgbe 0000:01:00.1: ec:f4:bb:ee:f5:ca

  4. Create /etc/sysconfig/network-scripts/ifcfg-eth0. You will need to remove the UUID or the o/s will not know there was a change.

    [root@packetdecoder]# vi /etc/sysconfig/network-scripts/ifcfg-eth0
    # Generated by NetWitness netconfig
    TYPE=Ethernet
    NAME=eth0
    #UUID=
    DEVICE=eth0
    PEERDNS=no
    PEERROUTES=yes
    HWADDR=ed:b4:ab:cd:a5:ce <= (replace this MAC ID with ec:f4:bb:ee:f5:cc)
    BOOTPROTO=static
    IPADDR=10.25.53.38
    NETMASK=255.255.255.0
    GATEWAY=10.25.53.1
    NM_CONTROLLED=no
    ONBOOT=yes

  5. Bring 'eth0' interface online.

    [root@packetdecoder]# ifup eth0

  6.  SSH to the decoder device.
  7.  Use 'ifconfig -a' to determine which ethernet connection matches the MAC address.

    [root@packetdecoder]# ifconfig -a
    em1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
            inet 10.25.53.32  netmask 255.255.255.0  broadcast 10.25.53.255
            inet6 fe80::eef4:bbff:feee:500c  prefixlen 64  scopeid 0x20<link>
            ether ec:f4:bb:ee:f5:cc  txqueuelen 1000  (Ethernet)
            RX packets 397361305  bytes 33709639271 (31.3 GiB)
            RX errors 0  dropped 0  overruns 0  frame 0
            TX packets 2646334558  bytes 3871027297212 (3.5 TiB)
            TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
            device memory 0x91f80000-91ffffff

  8. Also, when modifying ifcfg-em* files delete the UUID line, otherwise, the o/s doesn’t know the hardware changed.

    [root@packetdecoder]# vi /etc/sysconfig/network-scripts/ifcfg-eth0
    # Generated by NetWitness netconfig
    TYPE=Ethernet
    NAME=eth0
    #UID LINE REMOVED
    DEVICE=eth0
    PEERDNS=no
    PEERROUTES=yes
    HWADDR=ed:b4:ab:cd:a5:ce <= (replace this MAC ID with ec:f4:bb:ee:f5:cc)
    BOOTPROTO=static
    IPADDR=10.25.53.38
    NETMASK=255.255.255.0
    GATEWAY=10.25.53.1
    NM_CONTROLLED=no
    ONBOOT=yes

  9. Edit each of the following files using the process above (Please keep in mind em2-4 maybe substituted for another label such as eth1-3)
     
            /etc/sysconfig /network-scripts/em2
            /etc/sysconfig /network-scripts/em3
            /etc/sysconfig/network-scripts/em4
  10. Reinstall pfring using the following sequence. Ensure that the filename is correct including the version information or it may not remove correctly.  

    [root@packetdecoder]# rpm -qa | grep pfring 
    pfring-dkms-6.5.0.14-14.noarch
    [root@packetdecoder]# yum remove pfring.xx.xx.x.noarch (your version may be different)
    [root@packetdecoder]# reboot
    [root@packetdecoder]# yum install pfring.xx.xx.x.noarch
    [root@packetdecoder]# reboot

  11. In this specific instance the naming convention em1, em2, em3, em4 will remain the same.You are only changing the old MAC ID to the new MAC ID. You may be asking, "Why are you replacing the MAC ID and not the name." When the new card is inserted, it is automatically defaulted to eth0,eth1,eth2,eth3. In this instance, you are modifying the file so that you can take advantage of keeping the previous naming convention. Why is that important? In Netwitness capture configuration, you may have already set em3 and em4 as your capture ports in 'Explore; view. However, your configuration may be unique, use this suggestion as a guide not as a requirement. Use winSCP, again, to modify this file:     

    [root@packetdecoder]#vi 71-biosdevname.rules
    ACTION=="add", SUBSYSTEM=="net", DRIVERS=="?*", ATTR{address}=="ec:f4:bb:ee:50:0c", NAME="eth0"
    ACTION=="add", SUBSYSTEM=="net", DRIVERS=="?*", ATTR{address}=="ec:f4:bb:ee:50:0d", NAME="eth1"
    ACTION=="add", SUBSYSTEM=="net", DRIVERS=="?*", ATTR{address}=="ec:f4:bb:ee:50:08", NAME="eth2"
    ACTION=="add", SUBSYSTEM=="net", DRIVERS=="?*", ATTR{address}=="ec:f4:bb:ee:50:0a", NAME="eth3"                                                        

         ...changes to:


    [root@packetdecoder]#vi 71-biosdevname.rules
    ACTION=="add", SUBSYSTEM=="net", DRIVERS=="?*", ATTR{address}=="ec:f4:bb:ee:f5:cc", NAME="em1"
    ACTION=="add", SUBSYSTEM=="net", DRIVERS=="?*", ATTR{address}=="ec:f4:bb:ee:f5:cd", NAME="em2"
    ACTION=="add", SUBSYSTEM=="net", DRIVERS=="?*", ATTR{address}=="ec:f4:bb:ee:f5:c8", NAME="em3"
    ACTION=="add", SUBSYSTEM=="net", DRIVERS=="?*", ATTR{address}=="ec:f4:bb:ee:f5:ca", NAME="em4"

  12. Reboot
  13. Test capture.

     

Attachments

    Outcomes