When trying to deploy a Flow Forensics report, a failure is encountered with an incorrect Harvester IP address. The error may look similar to this: Error executing Flow Forensics report on host 0.0.0.0 OR Error executing Flow Forensics report on host x.x.x.x (where x.x.x.x is an old/invalid ip for the harvester).
There are two possible causes of this issue, explained below. The Resolutions section contains corresponding solutions.
Possible Cause A:
This error can be caused by having an old ip address for the harvester in the agent_definitions table that is no longer part of RA.
Possible Cause B:
This error returns when attempting to run a Flow Forensics report for two interfaces that have been Aggregated and are sending their flows to different Harvesters.
DO NOT use this solution unless the IP address shown in the error is an old invalid IP address for the Harvester. If it is the current IP of the Harvester, then this solution will NOT resolve the issue and can cause issues with Historical data. Please check with Support if you aren't sure.
To to resolve Cause A, follow these steps: Terminal service to the ReporterAnalyzer server.
1. Open a command prompt and enter the following commands:
mysql -D reporter select id,name,routername from agent_definitions where receiveraddress=inet_aton('x.x.x.x');
(where x.x.x.x is the Harvester IP address that is reported when the flow forensics report fails to deploy)
2. Write down the ID for each item returned from the previous query.
3. Run this query, replacing the Y with an ID noted above: delete from agent_definitions where id=Y;
4. Repeat this query for each ID.
5. Try to redeploy your Flow Forensics report. It should now be successful.
Remove current interface Aggregation and have the two routers in question point flows to the same Harvester. (see page 34-35 of the Admin Guide).