Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=ndr-troubleshooting

NDR troubleshooting

Troubleshoot NDR issues.

NDR status messages

You'll see three different statuses in Sophos Central: red, yellow, and green. A red status means the integration isn't working. A yellow status means that the integration is working but with errors. A green status means that the integration is healthy and working with no issues.

Red status

NDR containers not ready, <specific container names>.

NDR isn't running because one or more of the applications isn't ready. This message is often seen when the dragonfly container is stuck in a restart loop because the necessary CPU instruction sets are missing.

For further information, you can use the sudo kubectl describe pod <pod name> command in the CLI and look for error messages at the end of the output. Contact Sophos Support and share the information you've gathered.

Upload to s3 failed. Request was received but an error code was returned. Error code: <S3 upload error>

The NDR data couldn't be uploaded to an S3 bucket using a pre-signed URL. This issue usually occurs when you haven't configured your firewall or web proxy to allow outbound traffic to the internet, so this traffic is blocked. If changing the firewall or web proxy settings doesn't solve the issue, contact Sophos Support.

spanX: unhealthy span

The third-party network appliance sending network span traffic to the NDR appliance isn't properly configured. You can use the port mirror/span issues link at the top of the page to help troubleshoot this issue.

Yellow status

spanX: packets being dropped

Over 10% of network packets are being dropped, and the NDR appliance needs more system resources to function properly. Network packet ingestion and processing is CPU intensive, and if NDR isn't able to allocate enough CPU cores to accommodate this, network packets are dropped. If you're running NDR on a virtual machine (VM), you must allocate more CPU cores to the VM and see if that solves the issues. If you're running NDR on certified hardware, you can set up another hardware appliance and split the network span traffic between the two.

Third-party log collector integrations are also CPU intensive when ingesting high levels of syslog messages. If your appliance is running multiple types of integrations, consider distributing them across multiple appliances to ensure the proper resources for each integration.

Green status

The NDR integration is receiving span traffic and processing the network packet data without any issues.

Currently, the definition of a healthy span port is that at least 1% of network packets are unicast.

General NDR troubleshooting

No detection generated by Sophos NDR

Some switches can't handle VLAN tags correctly, leading to no detections being generated.

To solve the issue, and make sure detections are generated, do as follows:

Generate a test detection. See Generate detections (NDR).

Run the following query on your NDR appliance:

SELECT SrcIp,DestIp,Hostname,ClientToServerBytes,ServerToClientBytes,Vlan,ClusterId FROM dragonfly WHERE DestPort=2222 LIMIT 100;

For information about running queries, see NDR Query.

If you see your selected VLAN AND VLAN0, you need to turn on VLAN Strip. See Global NDR Settings.