Article Number
000034703
Applies To
RSA Product Set: Security Analytics
RSA Product/Service Type: SA Core Appliance
RSA Version/Condition: 10.6.X
Issue
When Archiver/Concentrator was offline for certain time, the aggregation fails to start as expected session already rolled over from decoder/logdecoder.
The errors indicate session gap as below.
/var/log/messages:
Jan 5 13:33:40 XXXX NwConcentrator[4576]: [Aggregation] [warning] Device: 'A.B.C.D:56004' requested session 1102239707
but the server returned a start session of 6015961918. The skipped sessions cannot be consumed.
Jan 5 13:33:50 XXXX NwConcentrator[4576]: [Aggregation] [warning] Device: 'A.B.C.D::56004' requested session 1102239707
but the server returned a start session of 6015961918. The skipped sessions cannot be consumed.
Jan 5 13:34:00 XXXX NwConcentrator[4576]: [Aggregation] [warning] Device: 'A.B.C.D::56004' requested session 1102239707
but the server returned a start session of 6015961918. The skipped sessions cannot be consumed.
Cause
The Archiver or the Concentrator was expecting a sessionid that was not available for the Decoder or the Logdecoder as the session has already rolled out. Hence, it produced errors with "skipped sessions cannot be consumed", indicating the expected session is not longer available.
Resolution
Please follow below steps to start aggregation.
1. Login to putty of Decoder/Logdecoder.
2. Restart the service using below commands sequentially.
stop nwdecoder
start nwdecoder
Note: Please change the keyword from nwdecoder to nwlogdecoder if you are aggregating from the Log Decoder
4. Start aggregation in Archiver/Concentrator->Config page. This should start aggregation now.