Comments
-
njoylif, it sounds like there are no ASAs in the path of the traffic, so I don't think he's going to be able to set up an ASA capture as you describe. Jeremy, can you post a sanitized version of your entire router config? By sanitized, I mean remove all passwords and public IP addresses?
-
I always try to have a loopback interface set up as the source for all my management traffic. That way I can have a nice simple management template: ip flow-export source loopback0 ip tacacs source loopback0 logging source loopback0 ip tftp source loopback0 etc etc
-
I dont think you can create a UnDP for jitter because the data requires a table join, which UnDP won't do. I must be missing something then... it seems as simple as setting up the IP SLA operation on the router, reading the value for rttMonLatestJitterOperAvgJitter (OID 1.3.6.1.4.1.9.9.42.1.5.2.1.46) and putting it a…
-
Most edge routers are configured to do dynamic NAT (aka PAT) on the outside interface. If this is the case with yours, you'll need to configure a static NAT translation on the edge router for the outside devices to talk to the NTA server. It's not enough to just allow the NDE packets through the ACL unless you're not doing…
-
My setup is very similar to the one Deltona posted and query performance is miserable at 100% retention. No problems with write performance, problems on the poller, etc., but query performance is the thing that users care about. If I drop it to 97% it's acceptable. Not sure what you're getting at with respect to the Cat…
-
I have been having the same problem and had a case open with support, but it got referred to development and I haven't heard back yet. I rebooted the server and the problem went away for a little while, then reappeared. I then realized that the problem was only with my account. So I went into SQL Enterprise Mananger and…
-
Can you configure the 7E to send the TOS information? Table 32-3 in this doc makes it sound like it's supported: www.cisco.com/.../fnf.html
-
We are monitoring what we can with Solarwinds products. It works OK, but I'm intrigued by the advertised capabilities of some of the higher-end NetFlow vendors in this area.
-
As far as I know, "ip route-cache flow" is just the deprecated version of "ip flow ingress". I don't think there's any reason to use it on new platforms. I personally haven't had a problem with ifIndex IDs changing under me, but I can't see how enabling that command would cause a problem. Regarding seeing the traffic in…
-
If it's a regular Layer 2 switch port: no, you can't do that just with NTA alone. However, one workaround would be to mirror the port to nProbe and collect NetFlow from there. If you search Thwack for "nProbe" you'll find quite a bit of information on this.
-
The workaround that came back from development was to embed an iframe as a Custom HTML element, using a link to the desired NetFlow resource as the iframe source. This works OK, although the graphs look a little funny.
-
Thanks Chris--I had never noticed that option before!
-
I see no drawbacks to storing syslog indefinitely using archived text files like you can get with Kiwi. I have years and millions of syslog messages compressed and archived in less than 10 GB of disk space. Very occasionally, they come in handy for a forensic-type security issue or when investigating a difficult problem,…
-
The problem with that solution is that I don't know in advance what messages I want to count. I have a *nix scripting background rather than a Windows one, so I ended up solving this by using a shell script completely outside Kiwi. I installed Cygwin on the Kiwi server and built two shell scripts: #!/bin/bash /usr/bin/grep…
-
Thanks Chris. I definitely want to be able to do it either way. Don't forget the bug report for IOS pipe filters... :-)
-
"^" only signifies negation of a single character if it's inside brackets. Otherwise it represents the start of a line. Now that said, the config-block version does work if you use ^username to anchor the line start. Otherwise you also match different commands that might also contain "username". So the working config looks…
-
You can't to it with native Solarwinds tools. I use Bro (installed as part of the amazing open-source Security Onion) to monitor HTTP headers and DNS queries. With the current 10.04 version of Security Onion you need a fair amount of Linux CLI skill to use the Bro logs effectively. In the 12.04 version (currently in beta)…
-
A couple of follow-up questions/comments: 1) Where do I find Traffic View Builder? 2) If I try to add a multi-port application for UDP 32768-65535, the UI seems to get stuck in a loop. It keeps asking if I'm sure I want to add the application. During this time, the Orion web interface is unresponsive (i.e., if I open…
-
Not sure about the current release, but in earlier releases the node IP address in NPM had to be the same as the NetFlow source address. But since you're not receiving netflow packets on the NPM host at all, that's not your problem. Until you are seeing NetFlow packets received on the NPM host, you're not going to get…
-
If you absolutely need NetFlow in an environment with low-end Cisco switches, you can create a SPAN session or tap, then use nProbe to inspect the raw packets and export NetFlow based on that: www.ntop.org/nProbe.html I haven't deployed nProbe in production, but I've tested this feature in a lab and it seemed to work as…
-
I believe all of the ASA series firewalls support NetFlow in versions 8.2(2) and later. IIRC, the ASAs use a somewhat customized version of NetFlow v9 that needs explicit support in the collector (and I'm pretty sure NTA supports this).
-
My guess is that 8417 is the client source port and NTA is miscategorizing it based on that. If you run a "netstat -b" on the client and server you should be able to figure out what processes are using the port. Failing that, try a packet capture.
-
You don't need to delete/re-add the whole node. You could just do the NIC... at least from what I've seen.
-
Cisco's dynamic NAT implementation tries to use the same source port on the outside as the client does on the inside. If the source port is already in use, it tries the next available port, incrementally. In theory, you can narrow down stuff like this by searching for inside hosts using a source port in the same range…
-
Yeah, Richard is correct. The key phrase from the competitor's post: "NetFlow export can not be used for complete bandwidth monitoring or Billing purposes." The reason the older switches can't do NetFlow export for bandwidth monitoring is that they simply don't have the correct ASIC for it. That's why the expansion module…
-
Here's a Thwack thread that has some links to information on using nProbe with NTA.
-
Just to be absolutely clear: there's a big difference between reverse DNS resolution and host header extraction. Reverse DNS resolution gives you the PTR record for the associated IP address (if there is one), but that may or may not have anything to do with the website hosted at that IP address. Commercial hosting…
-
I don't have that specific problem (seeing multi-port unmonitored traffic) after enabling "monitor all ports", but even so, there's no way to use NTA to completely profile all traffic for a host that talks on lots of different ports. This is because you can't get more than the top 100 results for any given NetFlow search,…
-
If you're using tunnel keepalives, the line protocol on the tunnel interface should go down if the other side is unreachable. Assuming you live in Cisco land: http://www.cisco.com/en/US/tech/tk827/tk369/technologies_tech_note09186a008040a17c.shtml The "no keepalive" command is not what you want; you want to be doing GRE…
-
Check out the DS1 Active DS0s MIB objects: CISCO-POP-MGMT-MIB:cpmDS1ActiveDS0s 1.3.6.1.4.1.9.10.19.1.1.9.1.3.0.0 Seems to work OK for us as a UnDP.
