| Article Number | 000032351 |
| Applies To | RSA Product Set: Security Analytics
RSA Product/Service Type: Decoder
RSA Version/Condition: 10.5.x
Platform: CentOS
O/S Version: EL6
|
| Issue | A 10g fiber card has just been added to a Security Analytics decoder. When attempting to capture on the decoder, the following error is observed in /var/log messages, and capture will not start:
[PFRing] [failure] Failed to create cluster [PFRing] [failure] Throw in function virtual void nw::
{anonymous}::CaptureDevicePFRINGZC::open(size_t, nw::uint32, const string&)Dynamic exception type:
boost::exception_details:clone_implstd::exception::what: Failed to create cluster105,
“No buffer space available” [boost::errinfo_at_line_*]=322
This occurs even after confirming that the card is present using the lspci command, and that cards are present under the pf_ring driver with the lsmod command.
The pf_ring driver shows in lsmod, and a tcpdump shows traffic. |
| Cause | The issue occurs because the pf_ring driver RPM was installed out of order with a BIOS or other OS update. |
| Resolution | To resolve the issue, follow the steps below.
- Connect to the Decoder appliance via SSH as the root user.
- Uninstall the pf_ring driver.
rpm -e pfring
- Remove the /etc/pf_ring directory (if it still exists)
- Reboot the Decoder appliance.
reboot
- Re-install the pf_ring driver.
yum install pfring
- Reboot the appliance again.
- From the Security Analytics UI, perform the following sequence:
- From the Decoder's Explore view, right-click decoder and select Properties.
- In the properties drop down menu, select reconfig,
- Enter the following parameters:
update=1 op=10g
- Click the Send button.
- Restart the nwdecoder service from the command-line.
restart nwdecoder
If you are unsure of any of the steps above or experience any issues, contact RSA Customer Support and quote this article number for further assistance. |
on Jun 14, 2016