Question & Answer
Question
What do I do if I get "Inactive S-TAPs Since" alerts from my guardium appliance? How should I troubleshoot inactive S-TAPs?
Cause
Inactive S-TAPs Since is a predefined alert that is recommended to run on the Guardium collector. It alerts once an hour on all S-TAPs that have not been active for a given period of time (default: 1 hour).
The alert will send only once every time the number of inactive S-TAPs changes. Even if the notification frequency is increased, only one alert will be sent.
S-TAPs can be inactive for many reasons, use this guide to help understand the situation. You should collect the information outlined below before contacting technical support.
Answer
1. Basics
1.1 Are inactive S-TAPs expected?
- Inactive S-TAPs are not a cause for concern if you are expecting them. If you have uninstalled an S-TAP or moved it to another collector it is normal for them to be inactive. To remove an S-TAP from the report navigate in the GUI to v9 Administration Console->Local Taps->S-TAP Control. v10 Manage -> Activity Monitoring -> S-TAP Control. Click on the delete button to remove the inactive S-TAP.
1.2 When did the S-TAP last respond?
- Check in the text of the alert you received. What is the value in "Last Response" column?
- Can you correlate this to any known events in the environment?
1.3 Are all S-TAPs inactive?
- Check in the collector GUI v9 System View->System Monitor. v10 Manage -> System View -> S-TAP Status Monitor.
- If all S-TAPs are inactive try to start or restart the inspection-core using CLI:
- start inspection-core
restart inspection-core
- start inspection-core
1.4 Is the S-TAP started on the database server?
- For Unix servers use "ps -ef | grep stap" to check if the process is running.
- For Windows servers check in Administrative tools -> Services to see if the S-TAP service is started.
2. Common Problems
2.1 Is load balancing or failover configured?
- As per the deployment guide chapter 3.9.8:
-
- For S-TAPs that are configured with a primary and secondary collector, if the S-TAP cannot communicate with the primary for any reason (such as network issues), it fails over to the secondary. Unless the former-primary collector can ping the S-TAP, it generates an inactive S-TAP alert.
2.2 Are the correct network ports opened?
- Bi-directional traffic must be allowed in firewall settings for S-TAPs to be active. Use this guide to ensure they are:
- Can you use telnet to connect to the Guardium appliance over the appropriate port? If not you should contact your network team to troubleshoot.
2.3 Have there been changes to the database or database server recently?
- Update to the database that causes change to the database install directory may cause S-TAP to go down. In this case the inspection engine parameters should be reset to the correct values.
3. Must gather
If you require assistance from technical support for your problem please provide the must gather information listed below.
3.1 For all problems with inactive S-TAPs provide:
- The file produced when you run CLI: support must_gather sniffer_issues
- Details of your investigation from points 1 and 2.
- For Unix servers, file produced when you run guard_diag script
- For Windows servers, file produced when you run diag.bat script
- Any other relevant information, for example screenshots, problem history.
3.2 For problems related to network provide:
- The file produced when you run from the collector CLI: support must_gather network_issues --host="<S-TAP IP>"
Related Information
Was this topic helpful?
Document Information
Modified date:
09 October 2018
UID
swg21698838