000034581 - 'ERROR: Server 'XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX' not active' in RAR Service Output in RSA NetWitness Endpoint

Document created by RSA Customer Support Employee on Dec 20, 2016Last modified by RSA Customer Support Employee on Apr 24, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000034581
Applies ToRSA Product Set: NetWitness Endpoint
RSA Version/Condition: 4.1, 4.2
Platform: Windows
O/S Version: 2008 Server R2 Enterprise (64 bit), 2012 Server
IssueWhen reviewing the RAR server output in the RelayServerOutput executable, it can be seen that certain errors are listed there from devices that are sending UDP beacons repeatedly:
UDP Beacon received from [:ffff:10.10.10.5]:50555!
19 01:28:23:0179 ERROR: Server 'XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX' not active

From this sample message it is seen that an ipv4 address(rendered in ipv6 notation) is beaconing to the RAR server but the listed server is stated to be inactive.
CauseIt is possible that there are two causes to this, and investigation into what generates this message is ongoing.
  • The certificates/keys on the endpoint do not match what the RAR server expects.
  • The certificates/keys are correct, but the server the agent wishes to reach from the RAR server is no longer connected or has been decommissioned, causing the server to be unreachable over rabbitmq.
Resolution
Troubleshooting Method
 

  1. The first step is to identify if the agent in question is using the right package. To ensure if this is the case:
    • Check if the agent is listed in the RSA ECAT UI. If it is not, then reinstall the agent on the endpoint using the latest packager and ensure it is connected to the corporate network, then check it has direct connectivity to the Primary console server so it can redownload the RAR keys
    • If the agent is listed in the console UI: this might be as simple as redownloading the certificate keys. Use the UI in the Machines tab and select Roaming> Generate Encryption Key. If the machine is still off the network, it will need to connect to the corporate network(the machine will switch to online once its connected) before doing this.
  2. If the issue is that the server has been decommissioned that the agent is connecting to then this becomes a logistical issue. Several questions have to be answered:
    • Is the server the RAR is attempting to connect to no longer present or recommissioned to a new system? If yes, then its necessary to consider first what primary console server the RAR server should be using. This explains why the message repeats endlessly for each RAR agent; it beacons successfully, but cannot reach the primary console server its information is intended for.
    • Is the RAR connected to the same server, but the RAR has been recommissioned? If so, then the agent will need to have its keys regenerated, which includes connecting directly to the primary again to re-download the keys as mentioned above.
    • Has a new primary or secondary been created and the RAR commissioned to it? If so, then it will need to have a new agent deployed and a new set of encryption keys sent to the agent as mentioned above
NotesIt is important to understand that the error message itself is simply an indicator that the agent cannot access the target console server. The RAR is simply a proxy server; it does not store data. The agent is unable to access the target console server, and hence an error is logged every time it attempts a UDP beacon to the RAR server.

Attachments

    Outcomes