|Applies To||RSA Product Set: Security Analytics|
RSA Product/Service Type: 10G Decoder, Security Analytics UI
RSA Version/Condition: 10.4.1
O/S Version: EL6
|Issue||After upgrading the 10G Decoder from version 10.4.0.0 to 10.4.1 and rebooting the appliance, traffic is no longer being captured.|
Even though capture has started on the Decoder service, the capture rate remains at zero.
When running the ifconfig command on the appliance, the p3p1 and p3p2 interfaces no longer appear to be present, as shown in the example below.
[root@10gDecoder ~]# ifconfig
Attempting to bring up one of the interfaces with the ifup p3p1 command fails while logging the entries similar to the following in the /var/log/messages file:
Apr 21 15:05:02 10gDecoder dhclient: DHCPDISCOVER on p3p1 to 255.255.255.255 port 67 interval 7 (xid=0xcccbde0)
|Cause||This issue occurs because the updated driver for the 10G Decoder (pfring-6.0.3-85126.96.36.199.504.1.3.el6.x86_64) requires kernel version 2.6.32-504.1.3.el6.x86_64 to be able to function.|
Although the kernel version is installed with the Q4 2014 Security Patch and is required for the upgrade to Security Analytics 10.4.1, it is not loaded by default when the appliance is rebooted.
Issuing the command uname -r on the appliance will show that a previous version is still being used, as shown in the example below.
[root@10gDecoder ~]# uname -r
|Resolution||In order to resolve the issue, the grubby-wrapper script found in the knowledgebase article entitled The default kernel in the grub boot loader configuration is not the latest on an RSA Security Analytics appliance must be executed on the appliance to configure grub to use the new kernel when booting. The appliance must then be rebooted to reflect the change and to boot using the new kernel.|
Once the appliance has rebooted and the Decoder service has fully initialized, traffic should begin capturing as expected once again. The p3p1 and p3p2 interfaces will also be visible once again in the ifconfig command.