Notifications

202 views

Description

Symptoms

The Physical host keeps on changing names.  The ci and asset records does not look correct: the CI hostname and hardware information seem to be merging between two or more CIs.

Release

All Release

Cause

ServiceNow discovery is agentless discovery.  We use multiple probe/sensor to query the the CI for information.  The main two probes which can cause this issue are the Classify and Identity probes.  Classify will get the host information, and Identity will get the ip address and serial number information. One of the first hardware rule identifier is the serial_number/serial_number_type. 

Classify scan system_one and gets it hostname, Identity scan system_two and gets it serial_number.  Since, we're able to match the CI by serial number the updated ci will be the combination of hostname(system_one), and serial_number(system_two).  

 Hostname ipaddressserial_number
     
Original CIsystem_one 10.1.1.354321ABCD
Original CIsystem_two 10.1.1.4ABCD54321
New CIsystem_one 10.1.1.4ABCD54321

1.  Multiple server sits behind a load balancer vip.  It's possible that the loadbalancer is forwarding the request to different CIs during classify and identity.

2.  If the DHCP lease time is to short, and Discovery is running very slow.  System_one pick up 10.1.1.4 and Discovery picked it up during classify, then System_one dropped off the network.  System_two came on line and was given the same ip address 10.1.1.4, and then discovery is scanning for Identity.  This could also happens when using VPN when the there is a small number of ip range, and user can obtain the same ip address within a short amount of time.

3.  Multiple system have the same serial_number

4. The host system is multi home and have multiple nics.  

 

Resolution

 1.  If you know that the ip address you're scanning is a VIP on a load balancer, you can set the ip address in the exclude range so they will not be scanned.  Most likely you can scan the system with it's direct ip address, or use Help the Help Desk script to populate the CI into CMDB.

https://docs.servicenow.com/bundle/madrid-servicenow-platform/page/product/configuration-management/concept/c_HelpTheHelpDesk.html

2. A. increase lease time on DHCP

B.  Add more mid servers.  This will speed up the time it takes for Discovery to run; hence, the windows for classify and identity on different system will be smaller.

C.  If A&B does not resolve this issue, Exclude these ip address from the discovery schedule since the ip address is reused to frequently.  Please use Help the Help Desk instead to write this information into cmdb_ci. 

3. Multiple systems shouldn't have the same serial number.  Check to see if your system admin can address this issue.  If there are no way to change this, you will need use another method identifying the ci in the hardware rule. 

https://docs.servicenow.com/bundle/kingston-security-management/page/product/security-operations-common/concept/ci-identifier-rules.html 

4. The hostname can change frequently if you're scanning two different ip address on the same host which uses DNS as a hostname.  Depending upon which ip address you scan the hostname will change to that dns name.  You can deselect Dns as the trusted hostname in the discovery properties.  This does not cause merge records but names can change frequently  

DNS or NetBIOS is trusted host name source 

Article Information

Last Updated:2019-08-02 20:48:25
Published:2019-03-21