Fanout not supported by kernel: Kernel too old or cluster-id 99 already in use

Suricata v6.0.13
I have installed and configure Suricata on AWS EC2 Ubuntu 20.04 but keep getting error “Kernel too old or cluster-id 99 already in use”

Meanwhile, I have check process running, none is using id 99 and even change the cluster-id in configuration file but still same problem.

The kernel is up to date, checked with unname -r. Attached are the error message, kernel version and suricata configuration file


suricata.yml (76.0 KB)

I need as soon as possible, please

Are you in a position to rebuild Suricata?

Are you referring to installing it all over again from the source? Yes, i can do that but i have several times already

Yes … I was going to suggest a slight patch to get a better id of the error.

diff --git a/src/source-af-packet.c b/src/source-af-packet.c
index 0c50ed219a..daf9708283 100644
--- a/src/source-af-packet.c
+++ b/src/source-af-packet.c
@@ -1818,8 +1818,8 @@ int AFPIsFanoutSupported(uint16_t cluster_id)

     if (r < 0) {
         SCLogError("fanout not supported by kernel: "
-                   "Kernel too old or cluster-id %d already in use.",
-                cluster_id);
+                   "Kernel too old or cluster-id %d already in use: %s",
+                cluster_id, strerror(errno));
         return 0;
     return 1;

I should copy and paste this into the configuration file? Any particular part of the configuration file?

You said you could install from source; that involves compiling the Suricata source modules.

If that’s something you could do, then make the highlighted change to the source code module (src/source-af-packet.c) and then build, install and start suricata.

Not sure if it’s the same issue, but I’m seeing the same error (kernel 4.15).

The error string, after the patch is:

23/8/2023 -- 14:31:29 - <Error> - [ERRCODE: SC_ERR_INVALID_VALUE(130)] - fanout not supported by kernel: Kernel too old or cluster-id 97 already in use: Invalid argument

Actually, after rebooting, it seems to be working now…
Possibly my experiments left/leaked some XDP resources?

I did as request. Images below:

Before edit the the source-af-packet.c

Afte editing the source-af-packet.c

Proceeded to build, install and run

Error message on running suricata v6.0.13

suricata.yml (76.0 KB)
Also attached the current configuration file.

Hi Temi, how did you check that the cluster-id is not in use by any other process?

using ps aux | grep 99

cluster-id doesn’t appear in ps output.
It’s used as a group identifier in the setsockopt call to configure FANOUT.
I’m not aware of a way to tell whether a given ID is already in use.

What’s the solution to the problem?

What other processes are running?
DId you try another number for the cluster_id?
What kernel is being used?