IBM Support

IJ33287: ICMPV6 FLOW TRAFFIC DATA FROM QNI FAILS TO BE DISPLAYED AFTER PATCHING TO QRADAR 7.4.3 GA

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • ICMPv6 flow data from QRadar Network Insights fails to be
    displayed in QRadar searches after patching to QRadar 7.4.3 GA.
    Messages similar to the following might be visible in
    /var/log/qradar.log when this issue occurs:
    [ariel_proxy.ariel_proxy_server]
    [aqw_local_7:5ab5ee0a-e9e2-44bb-a0e6-856584e630f2]
    com.q1labs.ariel.searches.tasks.ArielQueryTaskBase: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]Exception processing fil
    e:/store/ariel/flows/records/2021/3/5/13/flows~18_0~d3e271fa8ea
    44f9~bfeaa0b4316aba3c~0,skipped... executing
    query:Id:5ab5ee0a-e9e2-44bb-a0e6-856584e630f2,
    DB:<flows@/store/ariel/flows/records,
    /store/ariel/flows/payloads>, Time:<21-03-05,13:07:00 to
    21-03-05,16:07:00>, progress details 100, data snapshot size 40,
    Sort order:<DisplayValueComparator[com.q1labs.core.types.format
    ters.FlowTypeFormatter@586036e],desc>,Criteria=((<TaggedField-20
    E):AnnBigFile1>AND <EndTime:[1614967620000,~)>) AND
    <EndTime:(~,1614978420000]>), MappingFactory=MappingFactoryImpl
    [com.q1labs.core.types.flow.mapping.FlowRecordMappingEx@1],Filte
    retentionTime=86400000,
    remoteServers=[localhost/127.0.0.1:32011], prio=NORMAL
    [ariel_proxy.ariel_proxy_server]
    [aqw_local_7:5ab5ee0a-e9e2-44bb-a0e6-856584e630f2]
    java.lang.IllegalStateException: Potential mapping error. Array
    size: -30914 Max is 32767
    [ariel_proxy.ariel_proxy_server]
    [aqw_local_7:5ab5ee0a-e9e2-44bb-a0e6-856584e630f2]    at com.q1
    labs.frameworks.nio.MappingBase.getSizeShort(MappingBase.java:8
    6)
    [ariel_proxy.ariel_proxy_server]
    [aqw_local_7:5ab5ee0a-e9e2-44bb-a0e6-856584e630f2]    at com.q1
    labs.frameworks.nio.MappingBase.getSizeShort(MappingBase.java:8
    0)
    [ariel_proxy.ariel_proxy_server]
    [aqw_local_7:5ab5ee0a-e9e2-44bb-a0e6-856584e630f2]    at com.q1
    labs.core.types.networkevent.mapping.NetworkEventMappingUtils.r
    eadCustomRuleResultMap(NetworkEventMappingUtils.java:238)
    [ariel_proxy.ariel_proxy_server]
    [aqw_local_7:5ab5ee0a-e9e2-44bb-a0e6-856584e630f2]    at com.q1
    labs.core.types.flow.mapping.FlowRecordMapping.readCustomRuleMa
    p(FlowRecordMapping.java:820)
    [ariel_proxy.ariel_proxy_server]
    [aqw_local_7:5ab5ee0a-e9e2-44bb-a0e6-856584e630f2]    at com.q1
    labs.core.types.flow.mapping.FlowRecordMapping.getData(FlowReco
    rdMapping.java:240)
    [ariel_proxy.ariel_proxy_server]
    [aqw_local_7:5ab5ee0a-e9e2-44bb-a0e6-856584e630f2]    at com.q1
    labs.core.types.flow.mapping.FlowRecordMapping.get(FlowRecordMa
    pping.java:64)
    [ariel_proxy.ariel_proxy_server]
    [aqw_local_7:5ab5ee0a-e9e2-44bb-a0e6-856584e630f2]    at com.q1
    labs.core.types.flow.mapping.FlowRecordMapping.get(FlowRecordMa
    pping.java:44)
    [ariel_proxy.ariel_proxy_server]
    [aqw_local_7:5ab5ee0a-e9e2-44bb-a0e6-856584e630f2]    at
    com.q1labs.ariel.FileReader.doRead(FileReader.java:192)
    [ariel_proxy.ariel_proxy_server]
    [aqw_local_7:5ab5ee0a-e9e2-44bb-a0e6-856584e630f2]    at
    com.q1labs.ariel.FileReader.read(FileReader.java:184)
    [ariel_proxy.ariel_proxy_server]
    [aqw_local_7:5ab5ee0a-e9e2-44bb-a0e6-856584e630f2]    at com.q1
    labs.ariel.searches.service.ids.ArielFile$Crawler.nextRecord(Ar
    ielFile.java:32)
    [ariel_proxy.ariel_proxy_server]
    [aqw_local_7:5ab5ee0a-e9e2-44bb-a0e6-856584e630f2]    at com.q1
    labs.ariel.searches.service.ids.ArielFile.next(ArielFile.java:2
    10)
    [ariel_proxy.ariel_proxy_server]
    [aqw_local_7:5ab5ee0a-e9e2-44bb-a0e6-856584e630f2]    at com.q1
    labs.ariel.searches.service.ids.FilteredSource.next(FilteredSou
    rce.java:39)
    [ariel_proxy.ariel_proxy_server]
    [aqw_local_7:5ab5ee0a-e9e2-44bb-a0e6-856584e630f2]    at com.q1
    labs.ariel.searches.tasks.QueryWorker.execute(QueryWorker.java:
    62)
    [ariel_proxy.ariel_proxy_server]
    [aqw_local_7:5ab5ee0a-e9e2-44bb-a0e6-856584e630f2]    at com.q1
    labs.ariel.searches.tasks.ServiceTaskBase.runTask(ServiceTaskBa
    se.java:72)
    [ariel_proxy.ariel_proxy_server]
    [aqw_local_7:5ab5ee0a-e9e2-44bb-a0e6-856584e630f2]    at com.q1
    labs.ariel.searches.tasks.ServiceTask.runTask(ServiceTask.java:
    74)
    [ariel_proxy.ariel_proxy_server]
    [aqw_local_7:5ab5ee0a-e9e2-44bb-a0e6-856584e630f2]    at com.q1
    labs.ariel.searches.tasks.ServiceTaskBase.run(ServiceTaskBase.j
    ava:48)
    [ariel_proxy.ariel_proxy_server]
    [aqw_local_7:5ab5ee0a-e9e2-44bb-a0e6-856584e630f2]    at java.u
    til.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.
    java:1160)
    [ariel_proxy.ariel_proxy_server]
    [aqw_local_7:5ab5ee0a-e9e2-44bb-a0e6-856584e630f2]    at java.u
    til.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor
    .java:635)
    [ariel_proxy.ariel_proxy_server]
    [aqw_local_7:5ab5ee0a-e9e2-44bb-a0e6-856584e630f2]    at
    java.lang.Thread.run(Thread.java:822)
    

Local fix

  • No workaround available.
    
    APARs identified with no workaround may require a software
    delivery to resolve. This reported issue will be considered for
    a future release and administrators can subscribe to the APAR to
    get updates by clicking on the Subscribe button on the right
    side of this page or ask a question about this APAR in our
    Support Forums.
    https://ibm.biz/qradarforums
    

Problem summary

  • This issue was fixed in QRadar QRM QVM release of 7.4.3 FixPack
    1.
    

Problem conclusion

  • This issue was fixed in QRadar QRM QVM release of 7.4.3 FixPack
    1.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IJ33287

  • Reported component name

    QRADAR SOFTWARE

  • Reported component ID

    5725QRDSW

  • Reported release

    743

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2021-06-17

  • Closed date

    2021-07-13

  • Last modified date

    2021-07-13

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    QRADAR SOFTWARE

  • Fixed component ID

    5725QRDSW

Applicable component levels

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"743"}]

Document Information

Modified date:
14 July 2021