000030102 - The 10G Decoder is unable to capture traffic after upgrading to RSA Security Analytics 10.4.1

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000030102
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: 10G Decoder, Security Analytics UI
RSA Version/Condition: 10.4.1
Platform: CentOS
O/S Version: EL6
IssueAfter upgrading the 10G Decoder from version 10.4.0.0 to 10.4.1 and rebooting the appliance, traffic is no longer being captured.
Even though capture has started on the Decoder service, the capture rate remains at zero.
When running the ifconfig command on the appliance, the p3p1 and p3p2 interfaces no longer appear to be present, as shown in the example below.
[root@10gDecoder ~]# ifconfig
em1       Link encap:Ethernet  HWaddr XX:XX:XX:XX:XX:XX
          inet addr:192.168.1.5  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: xxxx::xxxx:xxxx:xxxx:xxxx/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:199455020 errors:0 dropped:0 overruns:0 frame:0
          TX packets:810884699 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:14078204789 (13.1 GiB)  TX bytes:1183893355890 (1.0 TiB)
          Interrupt:35
lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:1327458 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1327458 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:204742354 (195.2 MiB)  TX bytes:204742354 (195.2 MiB)

Attempting to bring up one of the interfaces with the ifup p3p1 command fails while logging the entries similar to the following in the /var/log/messages file:
Apr 21 15:05:02 10gDecoder dhclient[31159]: DHCPDISCOVER on p3p1 to 255.255.255.255 port 67 interval 7 (xid=0xcccbde0) 
Apr 21 15:05:09 10gDecoder dhclient[31159]: DHCPDISCOVER on p3p1 to 255.255.255.255 port 67 interval 12 (xid=0xcccbde0) 
Apr 21 15:05:21 10gDecoder dhclient[31159]: DHCPDISCOVER on p3p1 to 255.255.255.255 port 67 interval 17 (xid=0xcccbde0) 
Apr 21 15:05:38 10gDecoder dhclient[31159]: DHCPDISCOVER on p3p1 to 255.255.255.255 port 67 interval 12 (xid=0xcccbde0) 
Apr 21 15:05:50 10gDecoder dhclient[31159]: DHCPDISCOVER on p3p1 to 255.255.255.255 port 67 interval 9 (xid=0xcccbde0) 
Apr 21 15:05:59 10gDecoder dhclient[31159]: DHCPDISCOVER on p3p1 to 255.255.255.255 port 67 interval 4 (xid=0xcccbde0) 
Apr 21 15:06:03 10gDecoder dhclient[31159]: No DHCPOFFERS received. 
CauseThis issue occurs because the updated driver for the 10G Decoder (pfring-6.0.3-8598.2.6.32.504.1.3.el6.x86_64) requires kernel version 2.6.32-504.1.3.el6.x86_64 to be able to function.
Although the kernel version is installed with the Q4 2014 Security Patch and is required for the upgrade to Security Analytics 10.4.1, it is not loaded by default when the appliance is rebooted.
Issuing the command uname -r on the appliance will show that a previous version is still being used, as shown in the example below.
[root@10gDecoder ~]# uname -r
2.6.32-431.23.3.el6.x86_64
[root@10gDecoder ~]#
ResolutionIn order to resolve the issue, the grubby-wrapper script found in the knowledgebase article entitled The default kernel in the grub boot loader configuration is not the latest on an RSA Security Analytics appliance must be executed on the appliance to configure grub to use the new kernel when booting.  The appliance must then be rebooted to reflect the change and to boot using the new kernel.
Once the appliance has rebooted and the Decoder service has fully initialized, traffic should begin capturing as expected once again.  The p3p1 and p3p2 interfaces will also be visible once again in the ifconfig command.

Attachments

    Outcomes