How to:

Troubleshoot Collector status Reconnect on a Branch appliance.

* Prerequisite: Considering Analytics is configured with an operational Local Collector.

When a Branch appliance has an LEF connection and the status is Reconnect with no logs seen on Analytics GUI

Step: 1 > on Branch, verify Destination IP belongs to which device.

Step: 2 > As Destination IP belongs to Controller, check the NAT sessions on Controller and look for the Source IP of Branch.

Step: 3 > Verify the session is being NAT'ed correctly towards Analytics and make a note of the NAT Source IP and Port.

Step: 4 > Verify the adc virtual IP is enabled and up on Controller (If the lef connection is through Controller)

Step: 5 > Go to the Analytic Node having IP as seen in the above NAT sessions and check Active Clients Connected

Step: 6 > Check the max-connections configured on Analytics for local collector.

Step: 7 > Here we see the max-connections configured is 8 and active clients connected is also 8 (verified in step 4)

Step: 8 > Check if there are pending NAT sessions on the Controller towards the same Analytic node

Step: 9 > Tcpdump on Analytics interface towards Controller will reflect TCP RST from Analytics with SYN-ACKs absent.

Step: 10 > Change the max-connections configuration on Analytics to 512 (default) or more if already 512 active clients.

Step: 11 > This will fix the issue. Verify LEF connection is now Established on the Branch.

##############################################################################

If the connections are not load balanced in cluster and one node has max connections limit reached. 

Restarting versa-lced service on the impacted log-collector will drop and re-distribute connections to other log-collectors.

sudo service versa-lced restart

* In case above steps do not resolve the issue. Please reach out to Versa TAC.