jswan

This would be a huge value and a great selling point.

The Pix 501 does not support NetFlow in any code version. You can get some idea of the traffic flowing through a Pix by looking at the xlate tables, but if you need flow information you're going to need to look at something other than the Pix in the network. ntop might be worth looking at if you can get access to a SPAN…

I also use it mostly for WAN tunnel links. The new DPI capabilities in Cisco IOS that make TCP RTT and packet loss reporting possible over NetFlow are pretty exciting from this perspective; now we have to wait for analyzer vendors to catch up.

Thanks! This variation got me what I'm looking for without modules and such: select n.Caption, ncc.chassisserialnumber from Nodes n inner join NCM_NodeProperties ncm on n.NodeID=ncm.CoreNodeID inner join ncm_cisco_chassis ncc on ncm.NodeID=ncc.NodeID

Check to make sure you have 64 bit counters enabled in your NPM monitoring config for that node. Having a 32-bit counter overrun will screw up your calculations completely.

You guys are right--it seems the delay in loading is due to the "top 5 applications" resource, which takes FOREVER to load. I had never noticed it before since I rarely look at it. I removed the resource from the view and now it works correctly. Thanks!

In brief, I want a nicely formatted text file (maybe XML or JSON?) in which I can define advanced alerts in a well-documented syntax, then upload to the server. If that's not feasible, then documentation of how to do it with raw SQL would be better than nothing. In the case mentioned above, I had to change the trigger…

Pretty sure... I'm downloading the raw SNMP data and summing the values in the "received" column in order to distinguish between transmit and receive. I currently have a ticket open on this; awaiting further info.

I have messed around with this a bunch and at this point I can't remember which of the following regexes works, because I left them all enabled. But I no longer have the problem... maybe try them one by one until you get it working. ^[^\w]+\bquit\b[\t\r\n\v\f]* ^[ \t\r\n\v\f]*certificate[ \t\r\n\v\f]*self-signed ^[…

I never got around to testing it, since we have v9 exporters on either side of our Checkpoints, and the less we have to touch them the better.

ESP doesn't run over TCP/UDP (unless you're tunneling ESP through them), it's a separate layer 4 protocol. ESP is protocol 51 (whereas TCP and UDP are 6 and 17 repsectively). Hence, it doesn't have port numbers. I would look under "monitored protocols" in NTA settings, but in my install it's monitored by default.

One notable characteristic of Skype that I've seen is small packets on high UDP ports to a large number of unique Internet hosts. I haven't figured out a way to use NTA to quickly find hosts with that traffic profile--maybe someone here can help.

I used to get the connection refused error all the time, then somebody on here suggested reducing the number of simultaneous connections in NCM. I hardly ever see the error anymore; I have around 180 devices, almost all of which use SSH and/or SCP.

Not sure if posts are being held for moderation now or what... I just typed a long reply and it didn't show up. The short answer is that this is expected behavior... IOS tracks flows based on the VirtualAccess interface rather than the Dialer interface. You can see this with "show ip cache flow".

SDEE is a "pull" protocol that retrieves IDS events from an event server as SOAP/XML documents using a SSL/TLS connection. In other words, it's completely unlike syslog. It seems like it would be a pretty big architectural change to support SDEE. If Solarwinds decides to go this direction with Kiwi I hope it doesn't turn…

That works perfectly. Thanks!

I have not tested this in several years, but it used to be that you couldn't export NetFlow through a "classic" IPSec tunnel (i.e., one configured with crypto maps on the physical interfaces). You had to use one of the other tunnel types, like an IPSec-encrypted GRE tunnel. I do not know if this is still the case in more…

lchance, have you tried the "ip flow ingress layer2-switched vlan x" command? Works fine for me on the 6513 with NTA. The big problem with NetFlow on the Catalyst 6500 series in general is that depending on which PFC/DFC you have, the NetFlow TCAM is limited to 128k or 256k entries, which means that if you have a…

You cannot do this with NetFlow because NetFlow doesn't capture the data in the HTTP header. You need the actual HTTP header because it is extremely common for web servers to host many sites at the same IP address; simple reverse DNS does not work for this type of tracking. As mmelton stated, a web filtering appliance is…

I would be careful about inferring too much information from this technique. Many web servers host multiple sites on the same physical hardware and differentiate them with HTTP host headers; thus the PTR record that NTA resolves for the IP address might return a hostname different from the website that was actually…

Just to add to what Andy said... I think the appropriate MIB would be the CISCO-CIDS-MIB: ftp.cisco.com/.../CISCO-CIDS-MIB.oid ftp.cisco.com/.../CISCO-CIDS-MIB.my But from looking at it, it doesn't look like the stuff you want is available at all via SNMP. Also, the IPS doesn't support event monitoring via syslog. It's…

What about the "execute command script" function? How has that changed?

The problem with editing the resource properties is that it appears to change the default zoom properties for all users who can view that resource. This is very annoying! I want the old way back.

If you really need to get WLC traffic analysis integrated with the Solarwinds NPM suite, you could mirror the WLC's uplink port(s) to a Solarwinds QoE sensor. That would give you more granular data than you'd get out of the WLC's custom NetFlow export anyway.

AFAIK you can't use a basic NFv9 template in the 5508, so yes, you'd need to make a feature request.

Verify that the IP address used to manage the device in NPM is the same as the address that's exporting NetFlow. You can change the latter with "ip flow-export source-interface" if you're using standard NetFlow v5 or v9.

To get destination port information, use the Applications filter in Flow Navigator, or use the Top N Applications report under "Historical NetFlow Reports" in the Reports page. Unfortunately I don't think there's a way to get source port information out of NTA.

You might need the "mls nde sender version 5" command. Without this, all my data plane flows were exported as verion 7.

I haven't tried it, but I would think you could build a custom device template to have the Linux box TFTP the files to NCM for comparison.

Use "conversations", but use an interface detail view instead of a summary or node view. Why? I don't know, but I get the same results as you unless I use the interface detail view.