How can I view the Discovery blacklist?

Josh Smith
Giga Contributor

‎12-15-2021 06:58 AM

Hello.  I have been fighting with getting consistent, SUCCESSFUL discoveries completed and it seems like there are many issues around classification and identification that are still lingering.  With that being said, I have noticed a lot of inconsistencies between my test instances vs production instance in regards to successful network scans.  Which has led me to wonder if I have CI's or, even complete networks that have been blacklisted for some reason.  Some CI's/Networks are successful in the test instance but not in production, yet there is nothing different between the 2 as far as configuration goes.  

This has been very challenging so any help would be very appreciated.

Labels:
0 Helpfuls
  • 2,256 Views
8 REPLIES 8

Appli
Mega Sage
Mega Sage
In response to Josh Smith

‎12-15-2021 10:48 AM

Hi, just guessing there ... as a possible explanation for "extra IP" you can check support article - there seem to be some target devices have multiple IPs in the same range, or same IPs in different ranges - that make Discovery working unreliably. Consider to approach Network team and ask them providing you a network diagram with exact equipment (with IPs and IP ranges) deployed there.

Hope it helps.

Hope it helps
0 Helpfuls

Josh Smith
Giga Contributor
In response to Appli

‎12-15-2021 11:33 AM

That would not explain how test instance discovers the CI's at these IP's while Production instances does not.  Keep in mind Discovery is using the same MID servers and configurations.

0 Helpfuls

Appli
Mega Sage
Mega Sage
In response to Josh Smith

‎12-15-2021 02:09 PM

Hi. You asked how to view "Discovery blacklist"; open configured IP ranges and check the tab "Discovery Range Items Excludes" there. However since you already confirmed these are instances of the same configuration that use the same mid servers but only one instance can discover a full range -  I would suggest raising the case to SN support.

Hope it helps.

Hope it helps
0 Helpfuls

tim_broberg
ServiceNow Employee
ServiceNow Employee

‎12-15-2021 04:22 PM

How are the devices being discovered? SSH? SMTP? Windows?

For SSH, the "blacklist" is short-lived (5 minutes?) and simply serves to prevent repeated timeouts for the same IP.

SMTP can be finicky because it's UDP-based and timeouts look exactly like auth failures.

Duplicate IPs simply indicate that the same CI got discovered on another IP. You can do a Quick Discovery on that IP to see it discovered there, but you really don't want to run a full discovery on every IP for a CI, so the Identifier Engine just picks one.
    - Tim.

0 Helpfuls