000036673 - What does this mean in RSA NetWitness: Cannot add to transmit queue, too many attempts: 1001?

Document created by RSA Customer Support Employee on Sep 3, 2018
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000036673
Applies ToRSA Product Set: NetWitness Logs & Network
RSA Product/Service Type: Security Analytics Server
RSA Version/Condition: 11.0, 11.1
IssueCommunication between a NetWitness Broker and Concentrator stop.  The Concentrator goes offline and fails to reconnect to the broker in the aggregation configuration.

[Network] [failure] nw::Exception caught in NwServerSession::handleReadOperationViaThreadPool because (137) Cannot add to transmit queue, too many attempts: 1001

What does this mean?  And how do you resolve this?
CauseThe buffer that handles the queue for data processed from previous queries is full. This can occur often when there are no limits set and multiple large queries are left running and never complete.

During investigation when right-clicking events and using "Open Event Analysis in new tab" the new query does not auto specify a size or threshold limit. If the time range selected in an investigation is all data the query could fill up the buffer quickly.
ResolutionWe have created a hotfix in that resolves the issue of unresponsive channels and closes them.

NetWitness 11.2 has not been released in the time of writing this article, if you need this fix before this time please contact RSA Technical Support.

Check that the query timeout and threshold for the user role is not set to zero.

Also, make sure /sdk/config/max.where.clause.sessions is not set to zero.
WorkaroundYou can restart the concentrator and broker services.