000029086 - Decoders and concentrators frequently become unresponsive in RSA Security Analytics 10.4.0.x

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000029086
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Decoder, Concentrator, Security Analytics UI
RSA Version/Condition: 10.4.0.0, 10.4.0.1, 10.4.0.2
Platform: CentOS
O/S Version: CentOS 6
IssueWhen selecting a decoder or concentrator on the Administration -> Services page in the Security Analytics UI and clicking on View -> Config or any other option, the device becomes unresponsive and the requested screen does not load.
In other instances, the requested page loads but the contents are missing or blank.
The /var/log/messages file displays errors similar to be example below, indicating that the puppet agent received an exception while generating the SSL key.
Line 558642: Oct  7 21:46:51 hostname puppet-agent[19786]: Caching certificate for ca
Line 558859: Oct  7 21:51:48 hostname puppet-agent[2710]: *Caught TERM; calling stop*
Line 558860: Oct  7 21:52:03 hostname puppet-agent[30863]: Reopening log files
Line 558873: Oct  7 21:52:15 hostname puppet-agent[30863]: Did not receive certificate

The /var/lib/netwitness/uax/logs/sa.log file displays errors similar to the following:
2014-10-03 20:05:00,937 [taskScheduler-6] WARN com.rsa.netwitness.carlos.clients.nextgen.nw.NwClientPipeBase - escalateduser@1.1.1.1:56004 timed out in receive(), closed: false, connection: true, queue: 0
2014-10-03 20:15:41,450 [NioProcessor-1091] ERROR com.rsa.netwitness.carlos.clients.nextgen.nw.NwClientPipeBase - Closing connection 1.1.1.2:56005: Connection timed out
java.io.IOException: Connection timed out
at sun.nio.ch.FileDispatcherImpl.read0(Native Method)
at sun.nio.ch.SocketDispatcher.read(SocketDispatcher.java:39)
at sun.nio.ch.IOUtil.readIntoNativeBuffer(IOUtil.java:223)
at sun.nio.ch.IOUtil.read(IOUtil.java:197)
at org.apache.mina.transport.socket.nio.NioProcessor.read(NioProcessor.java:273)
at org.apache.mina.transport.socket.nio.NioProcessor.read(NioProcessor.java:44)
at org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:690)
CauseThis issue, referred to as the TCP issue, occurs because Security Analytics does not have keepAlive or idle ping settings implemented for TCP connections to the device on the 5600x port.
ResolutionA permanent fix for this issue will be included in Security Analytics version 10.4.1.
A hotfix is also available for versions 10.4.0.1 and 10.4.0.2 to resolve the issue.
If you wish to obtain the hotfix, contact RSA Support and quote this article number for assistance.
WorkaroundA workaround to resolve this issue is to disable the TCP timeout functionality on the firewall, which will allow the appliances to continue to communicate as expected.

Attachments

    Outcomes