IBM Support

High number of "Unrecognized address family for current server in heartbeat reply" messages in Guardium S-TAP Events report

Troubleshooting


Problem

After installing v10.1.3 Guardium S-TAP I noticed a large increase of messages in the S-TAP Events report. There are 1000s of messages like "Unrecognized address family for current server in heartbeat reply". Similar message may also be filling log files on the database server.

Cause

The message is created when the "heartbeat" connection between the S-TAP and the Collector does not complete.

It is normal and expected to see this in the S-TAP Events report, for example if the sniffer restarted, causing an interrupted connection. The event may be useful to alert the user to a possible situation where the S-TAP buffer will soon overflow because there is no connection with the collector.

If there are a small number of these messages, around one every 10 seconds for short periods it is not a cause for concern.

Due to a defect in the v10.1.3 S-TAP there can be a condition where the S-TAP does not check if the connection is ready before sending the heartbeat. In this case there can be 1000s or 10,000s messages created within a few seconds. This is not normal behavior and needs to be resolved.

If debugging is on on the S-TAP, the same messages are also printed to log files e.g. /tmp/guard_stap.stderr.txt on the database server.

Diagnosing The Problem

1. In the GUI Manage > Maintenance > S-TAP Logs > S-TAP Events there are 1000s or more messages like "Unrecognized address family for current server in heartbeat reply". The messages all come within a few seconds.

2. On the database server /tmp/guard_stap.stderr.txt may also contain the messages.

Resolving The Problem

Permanent fix

The underlying problem is resolved in v10.1.4 S-TAP and above. Check on fix central to find the latest released S-TAP for your platform and upgrade.

Steps to take before permanent fix is available

1. The problem is created when the heartbeat connection is interrupted. Reducing this limits the problem. Ensure the sniffer is stable and not restarting by following - Identifying Common Sniffer Problems.

2. The problem is worse with encrypted connection between S-TAP and Collector. If possible, temporarily set 'Use TLS' to 0 in S-TAP control page.

3. Ensure there is no debugging active on the S-TAP. In the guard_tap.ini on the database server set tap_debug_output_level=0 and restart the S-TAP.

4. The internal database on the collector can fill up quickly because of this problem. If the database used % is getting high and SOFTWARE_TAP_EVENT is the top table, contact Guardium Support to assist. Attach support must_gather sniffer_issues if a ticket is opened.

Top tables information

Must gather information

[{"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Guardium S-TAP","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"}],"Version":"10.1.3","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018

UID

swg22009707

Page Feedback