IBM Support

IJ07872: QRADAR NETWORK INSIGHTS STOPS PROCESSING FLOWS, PACKETS DROPPED BY THE DECAPPER

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • It has been identified that QRadar Network Insights can stop
    processing flows due to dropped packets by the decapper.  This
    can occur when the out-of-order packet handling fails to detect
    the appropriate window scale for some valid traffic.
    
    Messages similar to the following might be visible in
    /var/log/qradar.error when this issue is occurring:
    <hostname> decapper: [] decapper.capture: [INFO] rtf3: [3]
    Packet Capture Stats 60 sec: (Read: Packets(0, 0/sec),
    Octets(0, 0/sec)) (Dropped: Packets(7406719, 122494/sec),
    Octets(4049537101, 66972511/sec))
    <hostname> decapper: [] decapper.capture: [INFO] rtf3: [3]
    Content Scan Stats 60 sec: Requests(0, 0/sec) Throttled(0,
    0/sec) Filtered(0, 0/sec)
    <hostname> decapper: [] decapper.capture: [INFO] rtf3: [3] Flow
    Report Stats 60 sec: Std(0, 0/sec, 0 unique) Content(0, 0/sec)
    Dropped(0, 0/sec)
    <hostname> decapper: [] decapper.capture: [INFO] rtf1: [1]
    Packet Capture Stats 60 sec: (Read: Packets(3555582,
    59046/sec), Octets(1910677428, 31730297/sec)) (Dropped:
    Packets(3244520, 53881/sec), Octets(1851156286, 30741840/sec))
    

Local fix

  • No workaround available.
    

Problem summary

  • This issue was fixed in QRadar QRM QVM release of 731 Patch 5.
    

Problem conclusion

  • This issue was fixed in QRadar QRM QVM release of 731 Patch 5.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IJ07872

  • Reported component name

    QR INCIDENT FOR

  • Reported component ID

    5725QIFSW

  • Reported release

    730

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2018-07-17

  • Closed date

    2018-07-29

  • Last modified date

    2018-07-29

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    QR INCIDENT FOR

  • Fixed component ID

    5725QIFSW

Applicable component levels

  • R731 PSY

       UP

[{"Business Unit":{"code":"BU048","label":"IBM Software"}, "Product":{"code":"SS6E69","label":"IBM QRadar Network Insights"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"730","Edition":""},{"Business Unit":{"code":"BU048","label":"IBM Software"}, "Product":{"code":"SSUK44","label":"IBM Security QRadar Incident Forensics"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"730","Edition":""}]

Document Information

Modified date:
29 July 2018