|Applies To||RSA Product Set: Security Analytics, NetWitness Logs and Packets|
RSA Product/Service Type: Packet Decoder
RSA Version/Condition: 10.6.2, 10.6.3, 10.6.4, 10.6.5, 11.x
O/S Version: 6
|Issue||After upgrading to RSA Security Analytics 10.6.2 / 11.x, the VLAN tags are no longer being captured.|
|Cause||Although the root cause has not yet been confirmed, it is suspected that the issue might be with the linux kernel.|
Above issue is only for Packet Decoders using 10G capture and PFRING driver.
For reference on setting VLAN Fixup configurations (starting on v10.6.3) using packet_mmap capture, please refer to the below article in RSA Link:
NOTE: VLAN Fixup settings is only for mmap, not pfring.
|Workaround||The workaround is to set rxvlan off and rx-vlan-filter off on the affected interfaces using ethtool as shown in the example below.|
To make the changes permanent and persistent upon reboots, add the below lines in the /etc/sysconfig/network-scripts/ifcfg-<interface_name>:
NOTE: Must ensure that above lines are added once in the affected network interface\s scripts after each upgrade/update
To confirm the configuration changes persist after reboot: