IBM Support

QRadar: Troubleshooting RX packet dropped error notifications

Troubleshooting


Problem

QRadar Administrators receive system notifications regarding RX packets dropped.

Symptom

The trace of the issue can be found in the qradar.log file:
[hostcontext.hostcontext] [Thread-216] com.q1labs.hostcontext.sar.SarSentinel: [WARN] [NOT:0150124100][x.x.x.x/- -] [-/- -]
Dropped receive packets on interface ens192 has an average of 1.04 over the past 5 intervals, and has exceeded the configured threshold of 1.0. 
To resolve: Contact your system administrator. If your system continues to exhibit this behavior, contact Customer Support.

Cause

Incorrectly configured 'Ring' parameter or 'Large Receive Offload' parameter on the network interface.

Diagnosing The Problem

To check current values of 'Ring' settings on the network interface affected:
  1. Use SSH to log in to the QRadar appliance as the root user.
  2. Run the following command:
    ethtool -g <interface>
    Example output:
    # ethtool -g ens192
    Ring parameters for ens192:
    Pre-set maximums:
    RX:         4096
    RX Mini:    2048
    RX Jumbo:   4096
    TX:         4096
    Current hardware settings:
    RX:         2048
    RX Mini:    128
    RX Jumbo:   256
    TX:         2048
    Result
    The outcome shows that RX is set to 2048 currently, while the limit is 4096.
To check current settings of 'Large Receive Offload' on the network interface throwing notifications Regarding RX packets dropped:
  1. Use SSH to log in to the QRadar appliance as the root user.
  2. Run the following command:
    ethtool -k <interface>
    Example output:
    # ethtool -k ens192 | grep large-receive-offload
    large-receive-offload: on
    Result
    The outcome shows that 'Large Receive Offload' is set on.

Resolving The Problem

If the 'RX Ring' on network interface is set too low RX packets sometimes might get dropped, so raising 'RX Ring' up can solve the issue:
For example:
ethtool -G ens192 rx 4096
Allow QRadar to run for some time with the new settings to see whether the issue is resolved.
However, if notifications regarding RX packets dropped still appear disable 'Large Receive Offload':
For example:
ethtool -K ens192 lro off
In case the issue remains unsolved despite raising up the 'RX Ring' and setting off the 'Large Receive Offload' contact QRadar Support.
Note:
The network interface tunings introduced in this article are overwritten with the system restart, so to get them preserved it is necessary to add suitable rules to ethtool.rules file in the /etc/udev/rules.d/ folder, for example:
ACTION=="add", SUBSYSTEM=="net", KERNEL=="ens192", RUN+="/sbin/ethtool -G ens192 4096"
ACTION=="add", SUBSYSTEM=="net", KERNEL=="ens192", RUN+="/sbin/ethtool -K ens192 lro off"

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSV4BL","label":"IBM QRadar"},"ARM Category":[{"code":"a8m0z000000cwtcAAA","label":"Hardware"},{"code":"a8m0z000000cwtiAAA","label":"Performance"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
14 February 2023

UID

ibm16851361