BE7000M Sensor Cannot Reach Manager on Security Onion 2.4.201 (sobridge Missing)

[bounc4]

Topic

Cisco BE7000M (UCS C240) sensor is unable to reach the manager or join the grid on Security Onion 2.4.201, while identical configuration works on Dell hardware.

Background

I’m looking for guidance or confirmation from the community/maintainers regarding Cisco BE7000M (UCS C240) hardware compatibility with Security Onion 2.4.x, specifically in a sensor role.

In our environment, a BE7000M sensor was previously operational prior to 2.4.190, but since upgrading and later performing a clean install, the sensor is no longer able to communicate with the manager.

Environment

Security Onion Version: 2.4.201

Deployment Type: Distributed (Manager + Sensors)

Network: Air-gapped

Manager: Standard x86 server

Working Sensor Hardware: Dell PowerEdge R430

Non-Working Sensor Hardware: Cisco BE7000M (UCS C240)

NICs on BE7000M:

enp6s0f1

enp6s0f2
(both interfaces are UP)

Observed Behavior
Dell PowerEdge R430 (working sensor)

Can ping the manager

Successfully joins the manager

sobridge appears under ip addr

Sensor functions normally in SOC

Cisco BE7000M (non-working sensor)

Cannot ping the manager

All network connectivity tests result in 100% packet loss / no response

Sensor never joins the manager

sobridge interface is missing from ip addr

ip route get reports:

Correct interface

Correct source IP

Source IP exactly matches what is configured under:

SOC → Administration → Configuration → Firewall → Sensor

Network Test Results (BE7000M)

All of the following result in no response / 100% packet loss:

ping

ping -I enp6s0f1

ping -I enp6s0f2

TCP connectivity tests to required ports (443, 4505, 4506, 8220)

Despite this, routing appears correct at the OS level.

Troubleshooting Performed

Verified routing with ip route get

Verified both NICs are UP

Confirmed sensor IP is present in SOC firewall sensor hostgroup

Verified Salt functionality on manager and working sensor

Attempted NetworkManager adjustments (managed interfaces, route metrics)

Tested interface-specific connectivity

Tested both:

Upgrade path: 2.4.200 → 2.4.201

Fresh install of 2.4.201

Direct comparison against a Dell R430 sensor in the same architecture

Key Questions for the Community

Are there any known considerations or limitations when using Cisco UCS / BE7000M hardware as sensors in Security Onion 2.4.x?

Has anyone successfully deployed 2.4.200+ sensors on Cisco UCS / BE platforms?

Are there known issues related to:

Cisco VIC / UCS NIC drivers

Offload behavior

Fabric or kernel networking behavior
that could prevent sobridge creation or L3 connectivity?

At this time, I have not found documentation or existing GitHub issues indicating that BE7000M hardware is unsupported.

Additional Notes

The behavior appears hardware-specific

The BE7000M sensor worked prior to 2.4.190

The environment is air-gapped

I can provide masked command outputs or logs if requested

Goal of This Discussion

I’m trying to determine whether this is:

a known hardware compatibility issue,

a UCS-specific networking consideration,

or something else I should be configuring differently on this platform.

Any insight or confirmation from maintainers or others running UCS hardware would be greatly appreciated.

[cm-ops]

Can you share the /root/sosetup.log from you clean install?

[cm-ops]

If you check curl -s $MSRVIP:4505 --connect-timeout 5 (replace the variable with your manager's IP) is that able to connect?

[bounc4]

Commands below went through with no problem:

Curl – :4505 –connect-timeout 5

Curl – :4506 –connect-timeout 5

Commands below came back with Ncat: No route to Host

nc -zv 4505

nc -zv 4506

[cm-ops]

How about nc -vz to port 22? Does that work?

[bounc4]

It came back with: ncat no route to host.

[cm-ops]

What does ip r show? Is there a route to the manager?