logo

Knowledge Base

Access official resources from Carbon Black experts

Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Bit9 Agent sync % is low and slow on updating

Bit9 Agent sync % is low and slow on updating

Version

6.0.2.x, 7.x.

 

Issue

Bit9 Agent sync % is low and slow on updating.

 

Symptoms

Sync % is either 0 or other low number and its increase is very slow. The Parity Server log consistently shows more than 5ms on SQL latency. Bit9 is deployed in a 2-tiers (SQL and Bit9 servers are on separate hardware), regardless if it is virtualized or not.

 

Cause

Network latency between SQL and Bit9 servers is high, causing slow response from servers for high-volume transactions, such as processing of files or events from the Bit9 Agents.

 

Diagnostics

Run the SQL Performance Collection Script specific to the Bit9 server version and the Bit9SQLIO tool. Both are available on the Customer Portal Library. Provide the result to Bit9 Support and Services for review to check if additional resources on the SQL server is needed.

 

On the Bit9 console, browse to https://<your Bit9 server name>/support.php. Go to the Diagnostics tab. Click on Snapshot Server Logs. After a few minutes, click on Available Log Files and review the ServerLog<date-time>.bt9. It can be opened using a Notepad. Search for "latency". It will have an average network latency between the Bit9 server and SQL server. The bottom of the log file has the latest information. If the "latency" is measuring to about 5ms or more, there's a network latency between the Bit9 server and the SQL server that your network team needs to address. Another option is to move the Bit9 and SQL servers in to 1 server to form a tier-1.

 

Use hrPing
From Bit9 server, run:

>hrping -n 30 <SQLServerName>

(you will need to accept license first)

 

Output example

Source address is <source IP here>; using ICMP echo-request, ID=2843

Pinging <SQLServerName> [<destination IP here>]

with 32 bytes data (60 bytes IP):

 

From <destination IP here>: bytes=60 seq=0001 TTL=128 ID=1883 time=0.595m

From <destination IP here>: bytes=60 seq=0002 TTL=128 ID=1884 time=0.456m

From <destination IP here>: bytes=60 seq=0003 TTL=128 ID=188c time=0.495m

...

From <destination IP here>: bytes=60 seq=0004 TTL=128 ID=18a2 time=0.464m

 

Packets: sent=4, rcvd=4, error=0, lost=0 (0.0% loss) in 1.50240

RTTs in ms: min/avg/max/dev: 0.456 / 0.502 / 0.595 / 0.055

Bandwidth in kbytes/sec: sent=0.159, rcvd=0.159

 

Number in bold shows average ping latency. It should be below 1 ms.

 

Solution

  • Move Bit9 and SQL servers on the single tier, as documented in OER
  • Alternatively, use direct cross-cable connection between Bit9 and SQL server machines
  • Troubleshoot network or virtualization infrastructure until average ping time drops below 0.5 ms and slow latency stops getting reported in the Server log

 

Important Note(s)

Do not make any changes in the support.php page as it will cause an unexpected behavior on your implementation.

Labels (1)
Labels:
Was this article helpful? Yes No
No ratings
Article Information
Author:
jpillsbury
Creation Date:
‎12-02-2014
Views:
1024
Contributors
logo