Troubleshooting
Problem
Looking at the back panel of the QNI, there are multiple LAN connectors. How can you verify that the QNI network cabling is correct and is receiving flow data?
Resolving The Problem
- Confirm QRadar Network Insights (QNI) was installed, as described in the Installation guide. Looking at the QNI back panel, there are multiple ports. The management ports are associated with port 4 and port 6. These are used to replicate data between the QNI and the Console. Port 3 is reserved for the IMM, remote management system.
- The only ports that accept raw network traffic via mirrored span port or network tap are the designated Napatech card ports. The Network Packet Capture Card is displayed in figure 1 as the Network Packet Capture Card. If it is a stand-alone QNI appliance, then all 4 ports are the same. If you are trying to stack the product, only 2 out of the 4 ports receive traffic. Verify you are sending decrypted raw network traffic to QNI.
- Refer to chapter 7 "Creating a Stack" of the Installation guide to cable stacked QNI 1920 appliances. QNI 1901 and 1910 appliances do not support stacking.
Figure 1. Back panel of the QRadar Network Insights 1920 appliance
Figure 2. Legend for use with the QRadar Network
| Label | Description |
| 2 | Network Packet Capture card (SFP/SFP+) |
| 3 | IMM Port (1 GbE TX) |
| 4 | Management ports (10 GbE SFP+) |
| 5 | Cabled internally. Do not use these ports |
| 6 | Management port (1 GbE TX) |
To test if the QNI is receiving data
- From the Console, SSH as the root user to the QNI.
- Type the command:
/opt/napatech3/bin/monitoring
You should see a result similar to:
Figure 3. napatech monitor with SFP type, Link status, and Tx values.
- If there is no traffic displayed, check whether the Link column is "Down" and not 'Full" status. Make sure you are using the correct small form-factor pluggable transceiver (SFP) part numbers. Refer to Network capture transceivers section of the QRadar Network Insights 1920 Article for the correct SFP.
- To determine the SFP part numbers, physically inspect the SFP's or use these commands to figure out what SFP part numbers are in use:
grep -i pn /var/log/messageszgrep -i pn /var/log/messages.*
- The output should look similar to:
ntservice: Port 3: NIM info: (Vendor: FINISAR CORP., PN: FTLX1471D3BCL, SN: xxxxxx)
Document Location
Worldwide
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS6E69","label":"IBM QRadar Network Insights"},"Component":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
21 July 2022
UID
ibm11088782