|Applies To||RSA Product Set: NetWitness Logs & Network|
RSA Product/Service Type: Security Analytics Server
RSA Version/Condition: 11.0, 11.1
|Issue||Communication between a NetWitness Broker and Concentrator stop. The Concentrator goes offline and fails to reconnect to the broker in the aggregation configuration.|
What does this mean? And how do you resolve this?
|Cause||The buffer that handles the queue for data processed from previous queries is full. This can occur often when there are no limits set and multiple large queries are left running and never complete.|
During investigation when right-clicking events and using "Open Event Analysis in new tab" the new query does not auto specify a size or threshold limit. If the time range selected in an investigation is all data the query could fill up the buffer quickly.
|Resolution||We have created a hotfix in 220.127.116.11 that resolves the issue of unresponsive channels and closes them.|
NetWitness 11.2 has not been released in the time of writing this article, if you need this fix before this time please contact RSA Technical Support.
Check that the query timeout and threshold for the user role is not set to zero.
Also, make sure /sdk/config/max.where.clause.sessions is not set to zero.
|Workaround||You can restart the concentrator and broker services.|