000017666 - Dell R620 sensor not seeing traffic from Network Tap or SPAN Port. - RSA Data Loss Prevention (DLP)

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000017666
Applies ToRSA Data Loss Prevention (DLP)
This applies also applies to a sensor running on VM machine. (verify that there are two virtual network adaptors per DLP Network Deployment Guide)
IssueDell R620 sensor not seeing traffic from Network Tap or SPAN Port.
Output of tcpflowstats shows up under Total Bytes                                                          Example: Total Bytes (nic: eth0) . . . . . . . . = 0 
Total Packets(All) (nic: eth0). . . . . = 0 
Resolution

Modify the ifcfg-eth0 with the following settings:

                         change TABLUS_LISTENER_INTERFACE=yes to TABLUS_LISTNER_INTERFACE=no


Modify the ifcfg-eth1 script values:

                         comment the following values:

                         (example: #IPADDR, #GATEWAY, #NETMASK. Add the following value to PROMISC=yes, and change the HWADDR= to the mac address listed in the ifconfig -a command.


Reboot the sensor, when system is back up, type tcplflowstats to check which nic is being used.
Workaround

Logon to sensor as tablus, select option 6 (advanced) then option 1.

(exit to shell)

su to root and change directories to /etc/sysconfig/network-scripts/ directory.

Make a back-up copy of ifcfg-eth0 script is made and then copy another file and name it ifcfg-th1.

Legacy Article IDa66930

Attachments

    Outcomes