Duplicate machines growing in number on 4.6.8 server
Article ID: 252801
Endpoint Detection and ResponseEndpoint Protection with Endpoint Detection and Response
Duplicate machines growing in number on 4.6.8 Endpoint Detection and Response (EDR) on-prem appliance
During device enrichment process for SEPM endpoint, EDR maintains the record in ipHostNameCache so it can lookup cache based on IP and hostname when lookup by mid fails.
For each device, the key in ipHostName is each IP from the ipAddresses array combined with hostname.
ipHostNameCache size was limited to 150,000. In customer's environment they had 40,000 endpoints with at least 4 IP addresses per device. So, we needed 40,000 * 4 = 160,000 IP:Hostname keys in the cache. This caused frequent LRU evictions from iphostname cache.
The cache was not locked long enough between cache.getAll() calls and cache.getIfPresent(). When EDR loaded mids in the cache in the getAll() call the they were being simultaneously evicted by LRU removal thread causing exceptions.
Please upgrade to EDR 4.7 where this behavior no longer occurs.