Sensor Sniffing Service status is degraded

Products

VMware vDefend Firewall VMware vDefend Firewall with Advanced Threat Prevention

Issue/Introduction

The NDR Sensor Sniffing Service is down and not running, which means the sensor is unable to analyse network traffic. This may be indicated by a "Down" service status in the user interface or status "Stopped" through the NDR Sensor's command-line interface (CLI).

Environment

vDefend SSP >= 5.1
NDR Sensor >= 5.1

Cause

Sensor Sniffing Service is down on specified Sensor. It is unable to analyze traffic on the wire. The service being down can be attributed to few factors that prevent it from starting or cause it to stop unexpectedly.

Service failed to start: The service may have failed during its startup sequence.

Dependency failure: The service has critical dependencies on rabbitmq, sensor-container-orchestration and docker services. If either of these essential services is not running, the sniffing service will fail to start.

Configuration issues: A misconfiguration of the designated sniffing network interfaces can prevent the service from initializing correctly.
Network interface problems: The service may fail to start if the network interfaces are incorrectly configured.
Runtime errors: The service may fail due to some runtime error.

Resolution

Sniffing Service not starting up could be temporary and has been designed to restore on its own. If this does not happen after 30 minutes, then it might be worth checking the below troubleshooting steps.

Please follow these troubleshooting steps from the NDR Sensor CLI to diagnose and resolve the issue:

1. Confirm the service status: Access the NDR Sensor CLI and execute the following command. You will likely see the service in a "stopped" state.

ndr-sensor> get service sniffing

2. Attempt to restart the service manually: The first step is to try and bring the service up.

ndr-sensor> restart service sniffing

Wait for 10-15 minutes and then check the status again with

ndr-sensor> get service sniffing

If it remains stopped or fails again, proceed to the next steps.

3. Verify dependant services: Ensure the core dependencies are operational. The sniffing service will not start if these are down.

Docker is used to run the core application services

ndr-sensor> get service docker

If docker service is down then, try restarting the appliance.

sensor-container-orchestration is the central logic that manages the lifecycle of all the other containerized application services, making sure the sensor is always running the right components based on its current configuration and status

ndr-sensor> get service sensor-container-orchestration

If sensor-container-orchestration is down, then try restarting the service

ndr-sensor> restart service sensor-container-orchestration

rabbitmq acts as the central message broker for the entire system

ndr-sensor> get service rabbitmq

Attempt to restart the rabbitmq service, if its not running

ndr-sensor> restart service rabbitmq

sensor-health detects the health of each of the core services.

ndr-sensor> get service sensor-health

Attempt to restart the sensor-health service if it is down.

ndr-sensor> restart service sensor-health

and now try restarting the sniffing service again.

4. Ensure that the network interfaces are configured correctly:

Check that the interfaces attached to the NDR Sensor are correctly configured through vSphere - ensure that the network adapter driver is vmxnet3 and ensure that the network interface is in "Connected" state through vSphere virtual machine settings for the NDR Sensor.

Secondly, on the sensor appliance, ensure that the network settings of the interfaces have not been modified in anyway through the root user. This operation is unsupported. Configuration of the network interfaces is only supported through the CLI.

5. Check sniffing interface configuration: An incorrect interface configuration can prevent the service from starting.

ndr-sensor> get sniffing-interfaces

Verify that the interfaces listed are correct and intended for monitoring. If the sensor is registered and sniffing interface is set, then the MODE-STATUS is expected to be "NATIVE-MODE-CONFIG-SUCCEEDED".

If the issue still persists, then it is advisable to collect the NDR Sensor support bundle (refer documentation for how to collect support bundle) and raise a support ticket.