Article Number | 000032351 |
Applies To | RSA Product Set: Security Analytics RSA Product/Service Type: Decoder RSA Version/Condition: 10.6.x, 11.4.x Platform: CentOS O/S Version: EL6 |
Issue | A 10g fiber card has just been added to a Security Analytics decoder. When attempting to capture on the decoder, the following error is observed in /var/log messages, and capture will not start:
[PFRing] [failure] Failed to create cluster [PFRing] [failure] Throw in function virtual void nw:: {anonymous}::CaptureDevicePFRINGZC::open(size_t, nw::uint32, const string&)Dynamic exception type: boost::exception_details:clone_implstd::exception::what: Failed to create cluster105, “No buffer space available” [boost::errinfo_at_line_*]=322
This occurs even after confirming that the card is present using the lspci command, and that cards are present under the pf_ring driver with the lsmod command.
The pf_ring driver shows in lsmod, and a tcpdump shows traffic. |
Cause | The issue occurs because the pf_ring driver RPM was installed out of order with a BIOS or other OS update. |
Resolution | To resolve the issue, follow the steps below.
yum install pfring
- Connect to the Decoder appliance via SSH as the root user.
- Uninstall the pf_ring driver.
- RSA Security Analytics 10.6.x:
rpm -e pfring
RSA NetWitness 11.4.x:
rpm -e pfring-dkms
- Remove the /etc/pf_ring directory (if it still exists)
- Reboot the Decoder appliance.
reboot
- Re-install the pf_ring driver. RSA Security Analytics 10.6.x
yum install pfring
RSA NetWitness 11.4.x:
yum install pfring-dkms
- Reboot the appliance again.
- From the Security Analytics UI, perform the following sequence:
- From the Decoder's Explore view, right-click decoder and select Properties.
- In the properties drop-down menu, select reconfig,
- Enter the following parameters:
update=1 op=10g
- Click the Send button.
- Restart the nwdecoder service from the command-line. RSA Security Analytics 10.6.x
restart nwdecoder
RSA NetWitness 11.4.x
systemctl restart nwdecoder
If you are unsure of any of the steps above or experience any issues, contact RSA Customer Support and quote this article number for further assistance. |