|Applies To||RSA Security Analytics|
RSA Security Analytics 10.3.3
RSA Security Analytics Decoder
|Issue||RSA Security Analytics 10.3 SP3 packet decoder drops packets when database hashing is enabled.|
After upgrading to RSA Security Analytics 10.3 SP3, the decoder begins dropping packets.
In Stats page of decoder service, Total Dropped is increasing and loss is > 0% currently.
Can monitor packet drops in decoder service's Explore mode.
|Cause||There are many possible causes.|
In Security Analytics 10.3 SP3, if database hashing is currently enabled there is a bug where on service restart, the integrity.flush always resets back to the value of sync.
This is resolved in Security Analytics 10.3 SP4.
Confirming database hashing is enabled:
In the Explore view for the decoder service, navigate to /database/config/.
If hash.algorithm is none then service is not hashing DB [full path: /database/config/hash.algorithm]
If hash.algorithm is md5 then database hashing is enabled.
Confirming that packet drops are due to integrity.flush setting
To temporarily change the value of integrity.flush and restart packet capture (without restarting service) to see if drops continue to occur:
In the Explore view for the decoder service, navigate to /database/config/
If integrity.flush=sync then change this back to the value of normal
|Resolution||To resolve the issue, either upgrade to Security Analytics 10.3 SP4 or disable database hashing if not absolutely necessary.|
Disabling database hashing:
In explore mode set /database/config/hash.algorithm to none
|Legacy Article ID||a67208|