Troubleshooting
Problem
Leaving LAN over USB interface (usb0) feature enabled after firmware updates results in martian packets being repeatedly sent to the logs.
Symptom
Messages log spammed with "martian source x.x.x.x" from an interface with a "u" in it. The interface enp0s20u1u5 is a common source to see these packets from. The "u" signifies the USB interface (usb0).
Cause
This condition happens because the USB interface (usb0) loops packets back to the kernel thus causing the continuous messages.
Important: Firmware updates for QRadar hardware appliances on Lenovo System x® and ThinkSystem™ hardware fails if LAN Over USB is disabled. For more information see, QRadar: How to determine the status of LAN Over USB on SystemX® and ThinkSystem™ appliances.
Environment
All QRadar SystemX® and ThinkSystem™ appliances
Diagnosing The Problem
To use the command-line interface from Linux to verify and set the LAN Over USB settings, you must use the ASU64 or OneCLI application installed on your QRadar appliance.
- ASU64 is installed in QRadar 7.3.x and 7.4.x. The installation directory is /opt/lenovo/toolscenter/asu/. The ASU64 works with M3, M4, and M5 IMM settings.
- OneCLI is installed in QRadar 7.4.0 Fix Pack 1 and above. The installation directory is /opt/lenovo/lnvgy-utl-lxce-onecli/. OneCLI is required for communicating to the M6 XCC, however also works with the older M4 & M5 IMM settings.
- SSH into the QRadar console.
- To list the LAN Over USB status, type one of the following commands:
- For Advanced Settings Utility (ASU64), enter:
./asu64 show IMM --kcs | grep -i LanOverUsb
- For OneCLI application, enter:
./onecli config show IMM | grep -i LanOverUsb
- For Advanced Settings Utility (ASU64), enter:
- Check the logs by using the following command:
tailf /var/log/messages |grep 'martian'
- Look for messages similar to the following:
qradar-2 kernel: IPv4: martian source x.x.x.x from x.x.x.x on dev enp0s20u1u5
Result
If LAN Over USB in enabled and you see martian event logs, you have confirmed the issue and can proceed to Resolving The Problem.
Resolving The Problem
- SSH into the QRadar console.
- To disable LAN Over USB, enter one of the following commands:
- For Advanced Settings Utility (ASU64), enter:
./asu64 set IMM.LanOverUsb Disabled --kcs
- For OneCLI application, enter:
./onecli config set IMM.LanOverUsb Disabled
You can confirm LAN Over USB is disabled by entering one of the following commands:- For Advanced Settings Utility (ASU64), enter:
./asu64 show IMM --kcs | grep -i LanOverUsb
- For OneCLI application, enter:
./onecli config show IMM | grep -i LanOverUsb
- For Advanced Settings Utility (ASU64), enter:
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000CbVWAA0","label":"ATS-Infrasec"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
03 May 2023
UID
ibm16983444