I have seen the scan take longer when the "Use Nmap for Port/OS Detection" option is set to no; if you enable this option, does your scan take less time?
Also, the "..." shown in the IP Address Range parameter shown in your screenshot could indicate that there are additional addresses entered in this field; could you please expand this column to verify that the range is limited to only 254 IP addresses?
before trying this configuration the Nmap option was active but the scan was taking the same time. Moreover, with Nmap enabled FootPrints create a "discovered device" for every possible IP of the subnet even if many IPs are not connected to any device.
You're right, I took the screenshot for a more wide scan (in fact that scan took about 5 hours to complete), but I did scans on one small subnet only (254 IPs) and they took an average of 45-50 minutes to complete.
In your experience, how much should take a scan of one subnet with no remote inventory?
In the past I used Numara Track-IT and its Asset Discovery is very fast (but it can't do any remote inventory): just a few minutes for a subnet.
I defined a second Asset Discovery Scanner and I assigned to it the same scan configuration and a single subnet (254 IPs) target.
The scan duration has been the same: 50 minutes. In that subnet there are only 18 devices (236 unreachable).
I took a screenshot of the result an the log of the scan if you need further details.
It depends on how many devices are active on the subnet, but I would expect that it shouldn't take the 45-50 minutes you are seeing unless the entire range is populated.
I believe the long scam time, and false positives with nmap enabled are related (nmap believes there is a device at every IP, and is launching a port scan for each IP, rather than only the IPs with active devices). We have had reports of similar behavior, and have found 2 ways to avoid these false positive results:
- Use an Asset Discovery scanner which is on the same subnet as the targets. In most cases customers who have reported this behavior are using a scanner which is not on the same subnet as the targets, and a firewall or router is returning traffic to the scanner which appears similar to the traffic returned by an active device.
- Update a script file to change the parameters used by nmap during the scan. This changes the criteria nmap uses to determine if there is something at an IP address, and has prevented these false positives in other cases.
If you would prefer to edit this script file, please follow the steps below to make the change:
- On the system designated as the Asset Discovery scanner, go to the \Program Files\BMC Software\FootPrints Asset Core\Client\data\RemoteInventory\chl\ directory, and open the nmap_scan.chl file in any text editor
- Search the file for "-PS" (without the quotes). You shoud see 2 similar lines:
szCmdLine += " -PS21,25,80 --version-all" szCmdLine += " -PS21,25,80 -PO --version-all"
- Change the -PS portion to -PA; after the edit these lines should be:
szCmdLine += " -PA21,25,80 --version-all" szCmdLine += " -PA21,25,80 -PO --version-all""
- Save the file, and retry the scan.
If either of these methods prevent the scan from creating the device records for unassigned IPs, please submit a support ticket so we can associate you with the development issue regarding this behavior.
thank you for the reply.
I changed that parameter on the test scanner and he scan has been completed in about 10 minutes without false positives. Good!
But...it only worked in the same subnet of the scanner. I tried on a different subnet and the scan took 42 seconds but it did not found any device.
The customer where I am working on has about 2000 clients spreaded on about 25 subnet. Is there a way to have a quick scan without having to define a scanner for every subnet?
I assume you have already verified that there are no firewalls blocking traffic between the scanner and the target subnets; if this is correct, I suspect the scan is timing out due to the low timeout values shown in your screenshot. By default, these timeouts are set to 5m and 6h:
Could you try increasing these timeouts and running the scan again?
after updating the script on the Scanner and restoring the default timeouts the scan has been executed correclty and relatively fast: about 6-8 minutes for a subnet with about 100 devices. This is ok!
Are there some best practices suggested by BMC to regularly scan a network with about 1500 devices spreaded over about 25-30 subnets?
I don't have many general suggestions about setting up Asset Discovery, as the configuration is dependent on how many devices are being scanned, how many scanners are available to perform scans, how often the scans need to be run to collect updated information, and the topology of the network. In general:
- If possible, when scanning remote sites, designate a scanner at each location rather than use a centralized scanner. Performing the scan over WAN or VPN links will be much slower than using a scanner at the remote site, and uploading the results only.
- Ensure any firewalls between the scanner and the targets have been configured to allow the scan traffic to pass through.
- Each scanner can only perform one scan at a time. For large numbers of subnets, adding more scanners will reduce the amount of time needed to scan all targets.
I realize this thread is over 2 years old, however, I am having a similar issue. We are running BCM 12.5. I looked at the script and it appears like this now:
szCmdLine += " -PS21,25,80 -PA21,25,80 --version-all"
szCmdLine += " -PS21,25,80 -PA21,25,80 -PO --version-all"
We have about 7,000 devices spread across about 300 different subnets located in several different cities.
Our management wants to run an asset discovery scan on the entire network at 30 minute intervals. I am looking for any suggestions.
For scans that you want to run that often I would suggest the following:
- Stand up a Linux box with BCM Agent installed and make that device a relay (Create one for each geographical location based on Network Topology. Mesh vs. Spoke and Hub will determine the topology. Also take into consideration bandwidth and any QoS set up on your L3 Switches/Routers/Firewalls.
- Create your target list that is no more that /21 (2046 IP addresses) - Using Linux will be more efficient and faster than a Windows device.
- Configure the Module for each scanner to NOT collect Hardware or Software (This will cause the scan to run much faster and reduce the size of the data that integrates with the DB and Network traffic)
- Understand what you are trying to accomplish:
- Security - What devices are on the WAN (Create Alerts for new hardware found without an agent)
- ITAM Compliance - All devices get an agent (Windows, macOS, Linux) - Create Device groups needing agent based on Rollout Server Location and OS
- Use Cronspec scheduling to reduce scanning during off peak hours (Why Scan so frequently when offices are closed)
- Ensure you CLEAN UP older discovered devices using Op Rule and dynamic group using query (Where Last Update < ?)
- If an agent is installed on all possible targets then the need to upload Hardware and Software inventory become redundant with needless over head.
- Configure Linux device as per instructions - Increase the maximum number of open files / File Descriptors (FD) on linux devices
- Make sure HIDS, NIDS and DIDS are configured properly (ACLS) to allow scanners to do their job and are not blocked by local AV Firewalls (defaults are to block port scans), Network Switches, etc.
in regards to this statement "Create your target list that is no more that /21 (2046 IP addresses) -":
We have only had successful scans using CIDR /24. We have tried others but the scans never complete after 3 days of executing. we are currently using 12.1. Was this fixed in 12.5?
Same issue i am facing for one of my client, i am using BCM 12.1