Skip navigation

Log in to create and rate content, and to follow, bookmark, and share content with other members.

000032351 - Unable to initialize capture with a new 10g card on an RSA Security Analytics Decoder

Document created by RSA Customer Support

on Jun 14, 2016•Last modified by RSA Customer Support on Sep 16, 2020

Version 4Show Document

Like • Show 1 Like1
Comment • 0
View in full screen mode

Article Content

Article Number	000032351
Applies To	RSA Product Set: Security Analytics RSA Product/Service Type: Decoder RSA Version/Condition: 10.6.x, 11.4.x Platform: CentOS O/S Version: EL6
Issue	A 10g fiber card has just been added to a Security Analytics decoder. When attempting to capture on the decoder, the following error is observed in /var/log messages, and capture will not start: [PFRing] [failure] Failed to create cluster [PFRing] [failure] Throw in function virtual void nw:: {anonymous}::CaptureDevicePFRINGZC::open(size_t, nw::uint32, const string&)Dynamic exception type: boost::exception_details:clone_implstd::exception::what: Failed to create cluster105, “No buffer space available” [boost::errinfo_at_line_*]=322 This occurs even after confirming that the card is present using the lspci command, and that cards are present under the pf_ring driver with the lsmod command. The pf_ring driver shows in lsmod, and a tcpdump shows traffic.
Cause	The issue occurs because the pf_ring driver RPM was installed out of order with a BIOS or other OS update.
Resolution	To resolve the issue, follow the steps below. yum install pfring Connect to the Decoder appliance via SSH as the root user. Uninstall the pf_ring driver. RSA Security Analytics 10.6.x: rpm -e pfring RSA NetWitness 11.4.x: rpm -e pfring-dkms Remove the /etc/pf_ring directory (if it still exists) Reboot the Decoder appliance. reboot Re-install the pf_ring driver. RSA Security Analytics 10.6.x yum install pfring RSA NetWitness 11.4.x: yum install pfring-dkms Reboot the appliance again. From the Security Analytics UI, perform the following sequence: From the Decoder's Explore view, right-click decoder and select Properties. In the properties drop-down menu, select reconfig, Enter the following parameters: update=1 op=10g Click the Send button. Restart the nwdecoder service from the command-line. RSA Security Analytics 10.6.x restart nwdecoder RSA NetWitness 11.4.x systemctl restart nwdecoder If you are unsure of any of the steps above or experience any issues, contact RSA Customer Support and quote this article number for further assistance.

Attachments

Outcomes

0 Comments

Recommended Content