000032185 - Error message "Communication Fail" when adding a Concentrator to a Broker for aggregation in RSA Security Analytics

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 10Show Document
  • View in full screen mode

Article Content

Article Number000032185
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Concentrator, Hybrid Concentrator, Broker, Security Analytics UI
RSA Version/Condition: 10.4.x, 10.5.x 
Platform: CentOS
O/S Version: EL6
IssueWhen adding a Concentrator to a Broker for aggregation, after entering the credentials the error message "Communication Fail" is displayed.
CauseThis issue generally occurs due to one of the reasons below.
  • Too many index slices on the Concentrator
  • Network issues (e.g. firewall and/or routing problems)
This issue tends to occurs when a Concentrator has been re-imaged or replaced and needs to be added to the Broker again for aggregation.
When the Broker sends the initial "select/query" to scan/check the indexes, if there are too many (e.g. around 500+ slices) then it can cause that query from the Broker to time out on the Concentrator.
ResolutionIt is first necessary to check the index slices on the Concentrator.  
This can be done via the command line or via the Explore view in the Security Analytics UI.
Command Line
  1. Connect to the Concentrator via SSH as the root user.
  2. Issue the command below to get a count of the total files and folder.
    ll /var/netwitness/concentrator/index | wc -l

  3. If the result of the command above shows more than 500 files/folders the the old index needs to be rolled out or an index reset is required.
Security Analytics UI
  1. Log into the Security Analytics UI as a user with administrative permissions.
  2. Navigate to the Administration -> Services page.
  3. Click on the red Actions button for the Concentrator and click on View -> Explore.
  4. In the Explorer view, navigate to Index -> stats -> slices.total and verify the number.
To resolve the issue when a large number of slices are found, perform one of the options below.
Option 1
Perform a sizeRoll on the index which can be rolled out base on size, total space, or percentage.
Option 2 
Perform an index reset on the Concentrator.  This can take between 24 to 72 hours depending on the size of the database.
NOTE: When the re-indexing is in progress, no aggregation or investigation will be available.
Follow the steps below to perform an index reset via the command-line:
  1. Connect to the Concentrator via SSH as the root user.
  2. Stop the nwconcentrator service.
    stop nwconcentrator

  3. Delete all files and folders in the /var/netwitness/concentrator/index directory.
    rm -rf /var/netwitness/concentrator/index/*

  4. Start the nwconcentrator service again.
    start nwconcentrator

If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article number for further assistance.