NSX Network Detection and Response - troubleshoot Suricata Service Initialization Errors
Article ID: 323959
Updated On:
Products
Issue/Introduction
Sensor displays the warning
Warning: Initialization: Suricata initialization pending, waiting for completion Warning: IDS Service: Service is unstable (3 previous instances)
Cause
The problem was triggered by the fact that the appliance configuration in the UI had AF_PACKET disabled as a packet acquisition strategy. This was forcing the IDS to start up in single/libpcap mode, but then fail with the following error:
In /var/log/suricata/suricata-lastline-daemon.log2022-09-08 03:36:20,173: output: Sep 8 03:34:18 lastline-sensor suricata_suricata-lastline-daemon_1[2265]: [1] 8/9/2022 -- 03:34:18 - (../../src/util-runmodes.c:429) < Error > (RunModeSetLiveCaptureSingle) -- [ERRCODE: SC_ERR_RUNMODE(187)] - Can't use the 'single' runmode with multiple devices2022-09-08 03:36:20,173: output: Sep 8 03:35:13 lastline-sensor suricata_suricata-lastline-daemon_1[2265]: [1] 8/9/2022 -- 03:35:13 - (../../src/util-runmodes.c:429) < Error > (RunModeSetLiveCaptureSingle) -- [ERRCODE: SC_ERR_RUNMODE(187)] - Can't use the 'single' runmode with multiple devices2022-09-08 03:36:20,173: output: Sep 8 03:36:07 lastline-sensor suricata_suricata-lastline-daemon_1[2265]: [1] 8/9/2022 -- 03:36:07 - (../../src/util-runmodes.c:429) < Error > (RunModeSetLiveCaptureSingle) -- [ERRCODE: SC_ERR_RUNMODE(187)] - Can't use the 'single' runmode with multiple devices
Resolution
When using silicom appliances (or pretty much any other NIC) AF_PACKET must be enabled in the appliance configuration. If you switch the toggle , the issue gets rectified.
Path -->> Configuration -->> System -->> AF_PACKET_ACTIVATED -->> ENABLED
Workaround:
NA
Additional Information
Feedback
