Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Failure Notifications for JSA Appliances

Accumulator Cannot Read the View Definition for Aggregate Data

38750108 - Accumulator: Cannot read the aggregated data view definition in order to prevent an out of sync problem. Aggregated data views can no longer be created or loaded. Time series graphs will no longer work as well as reporting.

Explanation

A synchronization issue occurred. The aggregate data view configuration that is in memory wrote erroneous data to the database.

To prevent data corruption, the system disables aggregate data views. When aggregate data views are disabled, time series graphs, saved searches, and scheduled reports display empty graphs.

User Response

Contact Juniper Customer Support.

Accumulator is Falling Behind

38750099 - The accumulator was unable to aggregate all events/flows for this interval.

Explanation

This message appears when the system is unable to accumulate data aggregations within a 60-second interval.

Every minute, JSA creates data aggregations for each aggregated search. The data aggregations are used in time-series graphs and reports and must be completed within a 60-second interval. If the count of searches and unique values in the searches are too large, the time that is required to process the aggregations might exceed 60 seconds. Time-series graphs and reports might be missing columns for the time period when the problem occurred.

You do not lose data when this problem occurs. All raw data, events, and flows are still written to disk. Only the accumulations, which are data sets that are generated from stored data, are incomplete.

User Response

The following factors might contribute to the increased workload that is causing the accumulator to fall behind:

  • Frequency of the incomplete accumulations--If the accumulation fails only once or twice a day, the drops might be caused by increased system load due to large searches, data compression cycles, or data backup.

    Infrequent failures can be ignored. If the failures occur multiple times per day, during all hours, you might want to investigate further.

  • High system load--If other processes use many system resources, the increased system load can cause the aggregations to be slow. Review the cause of the increased system load and address the cause, if possible.

    For example, if the failed accumulations occur during a large data search that takes a long time to complete, you might prevent the accumulator drops by reducing the size of the saved search.

  • Large accumulator demands--If the accumulator intervals are dropped regularly, you might need to reduce the workload.

    The workload of the accumulator is driven by the number of aggregations and the number of unique objects in those aggregations. The number of unique objects in an aggregation depends on the group-by parameters and the filters that are applied to the search.

    For example, a search that aggregates for services filters the data by using a local network hierarchy item, such as DMZ area. Grouping by IP address might result in a search that contains up to 200 unique objects. If you add destination ports to the search, and each server hosts 5 - 10 services on different ports, the new aggregate of destination.ip + destination.port can increase the number of unique objects to 2000. If you add the source IP address to the aggregate and you have thousands of remote IP addresses that hit each service, the aggregated view might have hundreds of thousands of unique values. This search creates a heavy demand on the accumulator.

    To review the aggregated views that put the highest demand on the accumulator:

    1. On the Admin tab, click Aggregated Data Management.

    2. Click the Data Written column to sort in descending order and show the largest views.

    3. Review the business case for each of the largest aggregations to see whether they are still required.

Filter Initialization Failed

38750091 - Traffic analysis filter failed to initialize.

Explanation

If a configuration is not saved correctly, or if a configuration file is corrupted, the event collection service (ECS) might fail to initialize. If the traffic analysis process is not started, new log sources are not automatically discovered.

User Response

Select one of the following options:

  • Manually create log sources for any new appliances or event sources until traffic analysis process is working.

    All new event sources are classified as SIM Generic until they are mapped to a log source.

  • If you get an automatic update error, review the automatic update log to determine whether an error occurred when a DSM or a protocol was installed.

Infrastructure Component is Corrupted or Did Not Start

38750083 - Infrastructure component corrupted.

Explanation

When the message service (IMQ) or PostgreSQL database cannot start or rebuild, the managed host cannot operate properly or communicate with the console.

User Response

Contact Juniper Customer Support.

Process Monitor Application Failed to Start Multiple Times

38750043 - Process Monitor: Application has failed to start up multiple times.

Explanation

The system is unable to start an application or process on your system.

User Response

Review which components are failing. For example, JSA Flow Processor fails to start when no flow sources are assigned. Use the deployment actions to remove that Flow component.

Store and Forward Schedule Did Not Forward All Events

38750109 - A store and forward schedule finished while events were left on disk. These events will be stored on the local event collector until the next forwarding sessions begins.

Explanation

If the schedule contains a short start and end time or many events to forward, the event collector might not have sufficient time to transfer the queued events. Events are stored until the next opportunity to forward events. When the next store and forward interval occurs, the events are forwarded to the event processor.

User Response

Increase the event forwarding rate from your event collector or increase the time interval that is configured for forwarding events.

Time Synchronization Failed

38750129 - Time synchronization to primary or Console has failed.

Explanation

The managed host cannot synchronize with the console or the secondary HA appliance cannot synchronize with the primary appliance.

Administrators must allow ntpdate communication on port 123. When time synchronization is incorrect, data might not be reported correctly to the console. The longer the systems go without synchronization, the higher the risk that a search for data, report, or offense might return an incorrect result. Time synchronization is critical to successful requests from managed host and appliances

User Response

Contact Juniper Customer Support.

User Authentication Failed for Automatic Updates

38750127 - Automatic updates user authentication failed. A valid individual Juniper ID is required.

Explanation

Valid credentials are required to authorize automatic downloads from the update server.

User Response

To view the automatic update settings, on the Admin tab, click the Auto Update icon and select Change Settings >Advanced. Administrators can confirm that the user name and password in the Settings window are correct.

User Does Not Exist or is Undefined

38750075 - User either does not exist or has an undefined role.

Explanation

The system attempted to update a user account with more permissions, but the user account or user role does not exist.

User Response

On the Admin tab, click Deploy Changes. Updates to user accounts or roles require that you deploy the change.

Certificate Expires Soon

38750161 - The certificate named <certificate_name> will expire on <date>. Please update the cerificate soon.

Explanation

Servers and clients use certificates to establish communication that uses Secure Sockets Layer (SSL) or Transport Layer Security (TLS). Certificates are issued with an expiration date that indicates how long the certificate remains valid. This message is first shown when JSA determines that the certificate that is used for SAML authentication is set to expire within the next 14 days. The message is shown again at specific intervals that lead up to the expiration date.

User Response

Select one of the following options:

  • If you are using the JSA_SAML certificate that is provided with JSA, renew the certificate.

  • If you are using a 3rd-party certificate, add a certificate.

If the certificate expires before you renew it or add a new one, JSA cannot communicate with the SAML authentication server, and users can't log in.

Certificate Expired

38750162 - The certificate named <certificate_name> has expired. Please update the cerificate as soon as possible.

Explanation

Servers and clients use certificates to establish communication that uses Secure Sockets Layer (SSL) or Transport Layer Security (TLS). Certificates are issued with an expiration date that indicates how long the certificate remains valid.

This message appears when the certificate that is used for SAML authentication is expired. The message appears once a day and JSA users cannot log in until the expired certificate is replaced or renewed.

User Response

Select one of the following options:

  • If you are using the JSA_SAML certificate that is provided with JSA, renew the certificate.

  • If you are using a 3rd-party certificate, add a certificate.

Related Documentation