Message error - Error executing Flow Forensics report on host x.x.x.x

Document ID : KB000048007
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

When running a Flow Forensics report you may encounter an error like below:

"Error executing Flow Forensics report on host x.x.x.x"

Figure 1

If you check the <InstallDir>\NetFlow\logs\oursql_*_error.log file you may see an error like below:

Message error:
The NetQoS NQMySql51 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 300000 milliseconds

Application:
Faulting application name: netqossqld51.exe, version: 0.0.0.0, time stamp: 0x52601aef
Faulting module name: NFAStorageEngine.dll, version: 0.0.0.0, time stamp: 0x528d6d71
Exception code: 0xc0000005
Fault offset: 0x0000bc22
Faulting process id: 0x544
Faulting application start time: 0x01cfbbddfc994f34
Faulting application path: C:\CA\NFA\Netflow\bin\netqossqld51.exe
Faulting module path: C:\CA\NFA\Netflow\bin\NFAStorageEngine.dll
Report Id: ac11de5d-27d3-11e4-9910-000c2968f2e7

Oursql 5.1 log file:
Version: '5.1.45-pro' socket: '' port: 3307 Source distribution
NFA CSE data dir is [C:\CA\NFA\Netflow\datafiles\HarvesterArchive]
NFA CSE log file is [C:\CA\NFA\\Netflow\logs\NFAStorageEngine.log]
NFA CSE ready to load dynlib [C:\CA\NFA\Netflow\bin\NFAStorageEngine.dll]
140811 14:57:36 - mysqld got exception 0xc0000005 ;
This could be because you hit a bug. It is also possible that this binary
or one of the libraries it was linked against is corrupt, improperly built,
or misconfigured. This error can also be caused by malfunctioning hardware.
We will try our best to scrape up some info that will hopefully help diagnose
the problem, but since we have already crashed, something is definitely wrong
and this may fail.

key_buffer_size=8384512
read_buffer_size=16777216
max_used_connections=1
max_threads=250
threads_connected=1
It is possible that mysqld could use up to
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 1959462 K
bytes of memory
Hope that's ok; if not, decrease some variables in the equation.

thd: 0x1e6ff40
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
0064BC22 NFAStorageEngine.dll!GetFieldNumberFromName()
0064BEDE NFAStorageEngine.dll!GetFieldNumberFromName()
00641FAE NFAStorageEngine.dll!GetNextRow()
00641A9D NFAStorageEngine.dll!GetNextRow()
006418C8 NFAStorageEngine.dll!GetNextRow()
012ACC45 netqossqld51.exe!?store_length@Field_blob@@SAXPAEII_N@Z()
0116901B netqossqld51.exe!?read_range_next@handler@@UAEHXZ()
01167678 netqossqld51.exe!?read_multi_range_next@handler@@UAEHPAPAUst_key_multi_range@@@Z()
012635C5 netqossqld51.exe!?get_next@QUICK_RANGE_SELECT@@UAEHXZ()
Trying to get some variables.
Some pointers may be invalid and cause the dump to abort…
thd->query at 01EB81C8=select router RouterAddress, inIf InterfaceIn, protocol Protocol, srcAddr SourceAddress, srcPort SourcePort, dstAddr DestinationAddress, dstPort DestinationPort, tos TypeOfService, sum(inBytes) BytesInVolume, ifnull(sum(inBytes)*8 / sum(flowEnd-flowStart), 0) * 1000 BytesInRatePerDuration, count(*) FlowCount, sum(flowEnd-flowStart) FlowDuration, sum(inPkts) PacketsInVolume, ifnull(sum(inPkts) / sum(flowEnd-flowStart), 0) * 1000 PacketsInRatePerDuration from flowforensicsreport_3e6d00b0164349eaa75022335bcfe0bb where timestamp > 1407768060 and timestamp <= 1407779760 and ((dstAddr & xxxxxxxxxx= xxxxxxxxxx)) group by router, inIf, protocol, srcAddr, srcPort, dstAddr, dstPort, tos
thd->thread_id=1
thd->killed=NOT_KILLED
The manual page at http://dev.mysql.com/doc/mysql/en/crashing.html contains
information that should help you find out what is causing the crash.

Solution:

There is another Tech Doc, TEC595660 which references this error which you should follow first, which may resolve the error, but if not, please try the following.

  1. On the Harvester, make a backup copy of the <InstallDir>\NetFlow\bin\netqosmy51.ini file (netqosmy.ini in NFA 9.3 and up.)
  2. Open the appropriate netqosmy*.ini file in a text editor and add the following values to the "[mysqld]" section of the file: 
     
    key_buffer_size=16769024
    read_buffer_size=33554432 
      
  3. Save the file and restart the 'NetQos NQMysql51' or 'NetQoS NQMysql' service on the Harvester.
  4. On the NFA Console server recycle the 'NetQos ReporterAnalyzer Report Service' then try the report again.

**Note you may also want to try to narrow the Flow Forensics report down to a shorter time frame to see if that works as well.**

***Note if you see the that some of the queries listed in the <InstallDir>\NetFlow\logs\oursql_5.1_error.log are selecting from nsas.ahtflows, these are Anomaly Detector queries. You can try stopping the Anomaly Detector service(CA NFA Hunter Tracker Service).