000034703 - Aggregation fails to start in Concentrator or Archiver due to sessionid gaps in RSA NetWitness 10.6.x

Document created by RSA Customer Support Employee on Jan 19, 2017Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000034703
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: SA Core Appliance
RSA Version/Condition: 10.6.X
 
IssueWhen Archiver/Concentrator was offline for certain time, the aggregation fails to start as expected session already rolled over from decoder/logdecoder.
The errors indicate session gap as below.
/var/log/messages:
Jan 5 13:33:40 XXXX NwConcentrator[4576]: [Aggregation] [warning] Device: 'A.B.C.D:56004' requested session 1102239707 
but the server returned a start session of 6015961918. The skipped sessions cannot be consumed.
Jan 5 13:33:50 XXXX NwConcentrator[4576]: [Aggregation] [warning] Device: 'A.B.C.D::56004' requested session 1102239707
but the server returned a start session of 6015961918. The skipped sessions cannot be consumed.
Jan 5 13:34:00 XXXX NwConcentrator[4576]: [Aggregation] [warning] Device: 'A.B.C.D::56004' requested session 1102239707
but the server returned a start session of 6015961918. The skipped sessions cannot be consumed.


 
CauseThe Archiver or the Concentrator was expecting a sessionid that was not available for the Decoder or the Logdecoder as the session has already rolled out. Hence, it produced errors with "skipped sessions cannot be consumed", indicating the expected session is not longer available.
ResolutionPlease follow below steps to start aggregation.
1. Login to putty of Decoder/Logdecoder.
2. Restart the service using below commands sequentially.
stop nwdecoder 
start  nwdecoder
Note: Please change the keyword from nwdecoder to nwlogdecoder if you are aggregating from the Log Decoder
4. Start aggregation in Archiver/Concentrator->Config page. This should start aggregation now.
 

Attachments

    Outcomes