🌙
 

Subscribe to the Taegis™ VDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Troubleshooting Duplicate Assets

This article describes reasons you may experience duplicated assets in VDR.

Assets Discovered by Multiple Edge Services

VDR identifies any live Servers and Websites as new assets the first time they are seen by a new Edge Service. If you add a new Edge Service, any assets already discovered by an existing Edge Service are recreated during the first discovery by the new service. These are seen as new entities due to the unique combination of Network and Edge Service.

Address This Scenario

To address duplicate assets due to this scenario:

  1. Search for the Auto Discovery range.
  2. Filter on the Edge Service that was originally deployed.
  3. Delete those resulting assets.

Prevent This Scenario

To prevent this duplication of assets prior to an Auto Discovery scan, update the Edge Service for the existing assets by following these steps:

  1. Search for the Auto Discovery range from the Servers section.
  2. Edit the Edge Service previously assigned to the existing assets to the new Edge Service prior to launching an Auto Discovery scan.
  3. Repeat steps one and two for the websites that belong to the range from the Websites section.

Assets Assigned to Teams Duplicated

Teams allow organizations to segregate assets between different groups where different users have specific privileges. Assets can only be present on one team for the same organization, but may be duplicated as new entities due to a unique combination of Team, Network, and Edge Service.

Address This Scenario

To address duplicate assets due to this scenario:

  1. Search for the Auto Discovery range.
  2. Filter by the original Team as assigned by the Auto Discovery settings.
  3. Delete those resulting assets.
  4. Add the IP addresses of those assets to your Auto Discovery Exclusion list to prevent future duplication.

Prevent This Scenario

To prevent this duplication when assigning assets to a Team, add the IP addresses of the assets you are assigning to your Auto Discovery Exclusion list.

Auto Discovery Range Size

An Auto Discovery range that is too small may result in the duplication of assets in certain scenarios.

As a simplified example, in an effort to slowly work into the discovery of your environment, you might add one class C network like 192.168.1.0/24, run Auto Discovery and scans for this range, and then add a second network like 192.168.12.0/24. When the discovery for this second network completes, you may find there are two entries for the same server with two different IP addresses like 192.168.1.217 and 192.168.12.23.

This could occur because VDR is unaware that the ranges are two networks in the same facility, and the server is a machine that moved from one floor to another in the same building. These are seen as two entities due to the unique combination of Network, Edge Service, and Team.

Prevent This Scenario

To prevent duplicate assets due to this scenario, start with larger Auto Discovery ranges. In the previous simplified example, duplication would have been prevented by following these steps:

  1. Add the larger Auto Discovery range of 192.168.0.0/20.
  2. Exclude all ranges except 192.168.1.0/24 from the first Auto Discovery scan.
  3. After the initial discovery and scans have run, remove the exclusions and then run the discovery again.
  4. VDR recognizes the already-discovered asset if none of the other fingerprints have changed and updates the record rather than creating a new one.

Network Configuration

If the Edge Service or Team is the same, but assets are duplicated, look at the fingerprint information for the assets to see if there are differences by opening the Server record and selecting the Fingerprint icon.

Though the name and IP may be the same in the UI, there may have been changes to other details that VDR uses to discover an asset that leads the system to create a new record. In these cases, having a good understanding of the network and devices through which scans are run will help you understand why this is happening.

Prevent This Scenario

To prevent this condition, work with your infrastructure teams to ensure the Edge Services have been deployed without obstruction, such as load balancers or other devices that intercept and forward traffic in a non-transparent way from in-path devices.

Multiple A Records and Reverse Records

If you see multiple records in the same Team with the same Edge Service and fingerprints, you may have multiple A records and reverse records set up intentionally. Follow the procedure below to determine if this is the case for your environment.

  1. Navigate to Activity Log from the System menu and search for M006 IP_INDUPLICATE.
  2. Review the description of the log entries to see if the IPs referenced do not match the target column.
  3. Perform an nslookup for each of the IPs referenced in the Description.
  4. Perform an nslookup for the hostname from the UI.

Only one reverse record will match the A record returned when the nslookup is performed against the hostname. If you review the configurations for each of the unique IP interfaces and they are the same, add the IPs that do not have both a forward and reverse lookup match to the exclusions list in the Auto Discovery Ranges and then delete the assets that are part of that Auto Discovery range. Do this by selecting the IP_INDUPLICATE from the target column in the results of the Activity Log Search M006 IP_INDUPLICATE where you have identified the source of the duplication.

DNS Scavenging Not Maintaining Pace with IP Assignment

After ruling out duplication due to Teams, Edge Service, and intentional DNS record duplication, if you find that there are multiple records for a hostname but there are many different IP addresses, your DNS scavenging may not be maintaining pace with assignment of addresses. This is often seen in environments where remote workers connect multiple times per day but are issued a different IP each time because the lease has a short expiry period. These assets register their name with DNS multiple times throughout the day. If DNS scavenging is not configured to age out records at the same interval as the release of the IP addresses, there will be multiple records for your hostname. VDR takes the first name offered when the DNS server is queried. This leads to the creation of records with that name and IP combination, regardless of accuracy in that moment.

This is by far the most difficult issue to identify and clean up. If you find yourself in this scenario and you have ruled out Edge Service or Team assignment and verified the fingerprints are all the same, then you should contact your DNS administrator. Find out if there are multiple entries for the same hostname and ask them to delete the older stale records while you delete the older entries from VDR manually.

The methods of preventing this condition are likewise quite limited since they are reliant on the configuration of DHCP lease times, DNS scavenging, how often your scans and discoveries are run, and the behavior of your own users. Where possible, DHCP reservations can be helpful but cumbersome to maintain, so it is recommended that organizations focus on having a well-tuned DNS infrastructure.

 

On this page: