IBM Support

QRadar: QRadar Packet Capture service cannot start or stop successfully

Troubleshooting


Problem

The most common cause of PCAP appliances not capturing packets is due to incompatible small form-factor pluggable (SFP) modules. When unsupported SFP modules are used with the QRadar Packet Capture appliance, driver limitations prevent services from starting successfully and 'failed to load because an unsupported SFP' errors are reported. This issue must be resolved by using the correct SFP or QSFP module for your appliance.

Symptom

To confirm the capture issue, review /var/log/messages directory for unsupported SFP kernel messages.
Jun 21 14:36:23 LABDMZ kernel: ixgbe 0000:0a:00.0: PCI INT A -> GSI 32 (level, low) -> IRQ 32
Jun 21 14:36:23 LABDMZ kernel: ixgbe 0000:0a:00.0: failed to load because an unsupported SFP+ or QSFP module type was detected.
Jun 21 14:36:23 LABDMZ kernel: ixgbe 0000:0a:00.0: Reload the driver after installing a supported module.
Jun 21 14:36:23 LABDMZ kernel: ixgbe 0000:0a:00.0: PCI INT A disabled
Jun 21 14:36:23 LABDMZ kernel: ixgbe 0000:0a:00.1: PCI INT B -> GSI 36 (level, low) -> IRQ 36
Jun 21 14:36:23 LABDMZ kernel: ixgbe 0000:0a:00.1: failed to load because an unsupported SFP+ or QSFP module type was detected.
Jun 21 14:36:23 LABDMZ kernel: ixgbe 0000:0a:00.1: Reload the driver after installing a supported module.
Jun 21 14:36:23 LABDMZ kernel: ixgbe 0000:0a:00.1: PCI INT B disabled

As a result of an unsupported SFP module, the capture service cannot successfully start. If you have a compatible SFP, but the capture service continues to be stopped, the license might be set to evaluation mode. For more information, see QRadar: Packet capture runs for 10 minutes and stops without errors.
 

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSMU35","label":"IBM QRadar Network Packet Capture Software"},"ARM Category":[{"code":"a8m0z000000cwtcAAA","label":"Hardware"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
16 February 2022

UID

swg21998129

Page Feedback