IBM Support

QRadar: Enabling LAN over USB for firmware updates can generate martian events

Troubleshooting


Problem

Leaving LAN over USB interface (usb0) feature enabled after firmware updates results in martian packets being repeatedly sent to the logs.

Symptom

Messages log spammed with "martian source x.x.x.x" from an interface with a "u" in it. The interface enp0s20u1u5 is a common source to see these packets from. The "u" signifies the USB interface (usb0).

Cause

This condition happens because the USB interface (usb0) loops packets back to the kernel thus causing the continuous messages.
Important: Firmware updates for QRadar hardware appliances on Lenovo System x® and ThinkSystem™ hardware fails if LAN Over USB is disabled. For more information see, QRadar: How to determine the status of LAN Over USB on SystemX® and ThinkSystem™ appliances.

Environment

All QRadar SystemX® and ThinkSystem™ appliances

Diagnosing The Problem

To use the command-line interface from Linux to verify and set the LAN Over USB settings, you must use the ASU64 or OneCLI application installed on your QRadar appliance.
  • ASU64 is installed in QRadar 7.3.x and 7.4.x. The installation directory is /opt/lenovo/toolscenter/asu/. The ASU64 works with M3, M4, and M5 IMM settings.
  • OneCLI is installed in QRadar 7.4.0 Fix Pack 1 and above. The installation directory is /opt/lenovo/lnvgy-utl-lxce-onecli/. OneCLI is required for communicating to the M6 XCC, however also works with the older M4 & M5 IMM settings.
  1. SSH into the QRadar console.
  2. To list the LAN Over USB status, type one of the following commands:
    • For Advanced Settings Utility (ASU64), enter:
      ./asu64 show IMM --kcs | grep -i LanOverUsb
    • For OneCLI application, enter: 
      ./onecli config show IMM | grep -i LanOverUsb
  3. Check the logs by using the following command:
    tailf /var/log/messages |grep 'martian'
  4. Look for messages similar to the following:
    qradar-2 kernel: IPv4: martian source x.x.x.x from x.x.x.x on dev enp0s20u1u5

    Result
    If LAN Over USB in enabled and you see martian event logs, you have confirmed the issue and can proceed to Resolving The Problem.

Resolving The Problem

  1. SSH into the QRadar console.
  2. To disable LAN Over USB, enter one of the following commands:
    • For Advanced Settings Utility (ASU64), enter:
      ./asu64 set IMM.LanOverUsb Disabled --kcs
    • For OneCLI application, enter: 
      ./onecli config set IMM.LanOverUsb Disabled
    Result
    You can confirm LAN Over USB is disabled by entering one of the following commands:
    • For Advanced Settings Utility (ASU64), enter:
      ./asu64 show IMM --kcs | grep -i LanOverUsb
    • For OneCLI application, enter: 
      ./onecli config show IMM | grep -i LanOverUsb

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000CbVWAA0","label":"ATS-Infrasec"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
03 May 2023

UID

ibm16983444