06-15-2021 01:46 PM
Endpoint environment: AMP for Endpoints Connector v1.13.2.731 running in Protect Mode on RedHat Linux 6.9 VM
Hi, all -
The below two messages are almost constantly spamming on above platform - almost 900,000 count today alone:
Jun 15 15:28:53 hostname kernel: avflt: wait for reply timeout condition set
Jun 15 15:28:53 hostname kernel: avflt: wait for reply timeout condition cleared
I have already both tried stopping/restarting, as well as reinstalling - including purging local data before install using
# /opt/cisco/amp/bin/purge_amp_local_data
This same agent version/same policy running on a few other cloned VM's does record a few avlft entries, but nowhere near this many.
Confirmed debuglevel is 0, the minimum reported log level is set to notice, and verbose is off - these are the same across other agents.
Not seeing any AMP-specific hits in the community or Google. Has anyone seen this before, or am I looking at a bug?
Thanks for reading.
Dave
06-16-2021 03:32 AM
Can you try with the version 1.15.2? The module may have been unable to be loaded if the Connector version the Customer was on previously was <= 1.12.3, as redirfs and avflt required the host to be rebooted after upgrade in order to successfully load the modules. The reboot is needed after the upgrade to 1.15.2.
more info:
06-16-2021 08:46 AM
Thank you for your response, David.
The affected VM was only previously running 1.12.4.702 from initial installation, before moving up to 1.13.2.731. The update process was removing the installed ciscoampconnector RPM, purging its data then installing 1.13.2.731.
Would you still recommend a reboot after this update path? The Linux connector chart does not indicate a reboot would be required, but do you agree that it could also be a good troubleshooting step? (will need to be coordinated as the affected VM is production)
There is a pending AMP vPC update to 3.3.0_202102032120, though this appears to be an earlier update prior to the connector version 1.15.2 (March 2021) that you are recommending. Seems we would need to go through at least one step-update to get there – which can be our planned target – unless connector agents can be downloaded separately and an earlier release of AMP vPC can support later agent versions.
06-28-2021 06:04 AM
Identified the specific process spamming the logs is csco_amp_msg_wq
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide