Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1771
Views
5
Helpful
3
Replies

avflt messages from AMP are spamming Linux kernel

cdpinsk12
Level 1
Level 1

‎06-15-2021 01:46 PM

Endpoint environment: AMP for Endpoints Connector v1.13.2.731 running in Protect Mode on RedHat Linux 6.9 VM

 

Hi, all -

 

The below two messages are almost constantly spamming on above platform - almost 900,000 count today alone:

 

Jun 15 15:28:53 hostname kernel: avflt: wait for reply timeout condition set
Jun 15 15:28:53 hostname kernel: avflt: wait for reply timeout condition cleared

 

I have already both tried stopping/restarting, as well as reinstalling - including purging local data before install using 

# /opt/cisco/amp/bin/purge_amp_local_data

 

This same agent version/same policy running on a few other cloned VM's does record a few avlft entries, but nowhere near  this many.

 

Confirmed debuglevel is 0, the minimum reported log level is set to notice, and verbose is off - these are the same across other agents.

 

Not seeing any AMP-specific hits in the community or Google. Has anyone seen this before, or am I looking at a bug?

 

Thanks for reading.

 

Dave

 

 

Labels:
0 Helpful
3 Replies 3

David Janulik
Cisco Employee
Cisco Employee

‎06-16-2021 03:32 AM

Can you try with the version 1.15.2? The module may have been unable to be loaded if the Connector version the Customer was on previously was <= 1.12.3, as redirfs and avflt required the host to be rebooted after upgrade in order to successfully load the modules. The reboot is needed after the upgrade to 1.15.2.

more info:

https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/214850-amp-for-endpoints-linux-connector-update.html

 

 

Cyber security escalation engineer
0 Helpful

cdpinsk12
Level 1
Level 1
In response to David Janulik

‎06-16-2021 08:46 AM

Thank you for your response, David.

 

The affected VM was only previously running 1.12.4.702 from initial installation, before moving up to 1.13.2.731. The update process was removing the installed ciscoampconnector RPM, purging its data then installing 1.13.2.731.

 

Would you still recommend a reboot after this update path? The Linux connector chart does not indicate a reboot would be required, but do you agree that it could also be a good troubleshooting step? (will need to be coordinated as the affected VM is production)

 

There is a pending AMP vPC update to 3.3.0_202102032120, though this appears to be an earlier update prior to the connector version 1.15.2 (March 2021) that you are recommending. Seems we would need to go through at least one step-update to get there – which can be our planned target – unless connector agents can be downloaded separately and an earlier release of AMP vPC can support later agent versions.

0 Helpful

cdpinsk12
Level 1
Level 1

‎06-28-2021 06:04 AM

Identified the specific process spamming the logs is csco_amp_msg_wq

Customers Also Viewed These Support Documents