Question & Answer
Question
Why are many QRadar network sockets on port 32006 In TIME_WAIT status?
Cause
Console opens many sockets on port 32006 and they are in TIME_WAIT status. These open sockets can be waiting on localhost, Event Processors, Flow Processors, or Data Nodes that are not using encrypted connections.
Answer
For both user and backend process searches, QRadar leaves these connections in a TIME_WAIT status even though the data returned might be completed. Any host that has an encrypted connection do not show this symptom. TIME_WAIT sockets are working as designed.
The following command shows all connections on port 32006:
netstat -nalp | grep 32006
The sockets in TIME_WAIT status get cleaned up after they hit the timeout defined in the following files:
/etc/sysctl.conf
/proc/sys/net/ipv4/tcp_fin_timeout
Recommendation is to leave the timeout setting as is so your system is more baseline with what developers expect in the field.
Related Information
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtiAAA","label":"Performance"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3.3;7.4.3;7.5.0"}]
Was this topic helpful?
Document Information
Modified date:
05 August 2022
UID
ibm16254399