Hi everyone. This may not be the place for this but wanted to see if anyone else has experienced this issue. I have a support case open but they appear to be pretty backlogged at the moment so haven’t gotten anything back.
I’m seeing issues with the last scan date not updating on assets. This seems to be mainly occuring on Linux devices or items like printers as I haven’t seen this occur on a Windows system. As an example I have a Red Hat server that is showing the last scanned date on the Asset page in InsightVM as 25 days ago. If I select to scan the asset from this page a new scan will run and complete. I’m showing credential success and get vulnerability data from the scan. The interesting part is that the scan engine is listed as N/A in the scan result and the last scanned date does not update on the asset page for the system. I have tried manually scanning and selecting a specific scanner (multiple times) and see the same result.
The only way I have found to fix this is to delete the asset and run a new scan. When I do that the asset loads back into InsightVM and everything looks correct. However even after this if I try to run another scan on the device we are back to the scan date not updating again. This is less than ideal as since the scan data doesn’t seem to be syncing the assets still report as vulnerable even though the most recent scan shows that they are not.
For the scan jobs that are not updating the last scan date if I pull the scan logs I can see the scanner is able to login and run vulnerability checks and from the logs everything looks like its running correctly. The issue only appears when the scan job completes.
Like I said I do have a case open with support and provided screenshots as well as scan logs just wanted to check in here and see if anyone else has run into this issue? Thanks.
We have been facing the same issue since upgrading to v6.6.123 and have also opened a support case.
When did you open your ticket with support? Have you heard anything back yet? I have a few tickets open in the last week that haven’t gotten any replies yet. One for this scanning issue and another for Remediation Projects that no longer appear to be working.
We opened a ticket 2 weeks ago and the issue is still being investigated by the support. Hopefully it will be solved soon.
I am seeing the same issue on v6.6.127.
We have the same issue. We opened our Ticket on 1/18 with no resolution still.
I have had this problem since the 11 January update on my Linux servers. I scan them every night, but the vulnerabilities assessed date doesn’t change to the last scan, it remains on the 12th January scan which was completed on the server. From what I understand from support it was something to do with the “improvements” in that release.
One fix we have identified is our service provider has cloned some of the assets, so we are seeing duplicated OS UID’s on the servers. Support has a fix for this which involves adding the UID to a file on the console to prevent asset linking occurring.
This fix is not helping with all of assets which we have problems on.
From what I understand N/A on the scan means that the results are not being properly integrated into the database.
On our main console we have asset linking enabled, on our secondary console we have it disabled. I am seeing the exact same issue on our secondary console which suggests something else is not right since that update.
I have another session with support as no matter what I do, I can’t integrate the results to our DB for hundreds of our servers.
Well I was hoping 6.6.127 would resolve the issue but from the note above that does not appear to be the case. I have tried deleting assets and rescanning them. That does seem to work but then I loose the historical data on the asset so I’m trying not to do that. I’m only seeing this as an issue on Linux or Linux based devices and not on all of them. I haven’t seen any replies on my recent support cases so if one of you gets any information if you could post it here that would be appreciated. It would be nice if support would have some sort of live chat function as opposed to just going back and forth via email.
This is the replay I got on Friday -
Therefore it is possible you are being affected by 2 independent scenarios at play
UUID is causing assets to correlate in an expected manner due to the way our asset correlation algorithm works
You have assets that are encountering a situation related to the new defect i.e. Assets complete scanning as expected, the results from said scan should get integrated into the Asset page of said asset but they dont show up.
If you have an asset that encounters the first step then its easily checked by following the following steps in the GUI
Browse to the Site the asset is a member of
Browse to the scan history of the site
Click on the date of the recent scan you know the asset would have been scanned in
Once in the scan page, search for the IP address of the example asset you want to check
Click on the IP address within the scan page of said asset
You will now be in the Scan data section of this asset, the URL at the top of the page should end in something like “nodeid=xxxx”
once you are in the nodeid page you can see what attributes we obtained from the asset in question i.e. IP, Hostname, MAC Address, UUID. These are the majority of the attributes that feed into the algorithm, with UUID being the one attribute that carries a 100% weighting. That means if we find the UUID and it is the same as another asset’s UUID they will correlate
in the nodeid page there is a hyperlink that says “See Asset Page”
See Asset Page will bring you to the asset that the scanned data will integrate with. You can compare the correlation attributes here to get an idea of why it would have correlated e.g. matching UUID
Now for the 2nd scenario the “See Asset Page” hyperlink would bring you to the asset you were expecting it to be correlated to but it will simply not have any of the scanned data integrated to it e.g. Scan date would not be updated with the new scan date and the vuln count etc will not change
No ETA has been provided yet for a fix, its very frustating …
Fix is now expected tomorrow