This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Receiving Netflow From unmanaged interfaces with extremely high index numbers

NTA 4.2.0, NPM 12.0

I'm receiving thousands of NTA error messages from a handful of routers with the unmanaged interface numbers being bogus (i.e., extremely high interface numbers.)

Here are a couple of instances from one of the nodes where this is currently happening:

12/9/2016 7:43 AM    NetFlow Receiver Service [STLWSOLPOLPRD09] is receiving flow data from unmanaged interface '#1936291840' on Router1 and it does not support SNMP. Click the "Add this interface" to manage interface and process its flow data. 
12/9/2016 7:43 AM    NetFlow Receiver Service [STLWSOLPOLPRD09] is receiving flow data from unmanaged interface '#543977327' on Router1 and it does not support SNMP. Click the "Add this interface" to manage interface and process its flow data. 
12/9/2016 7:43 AM    NetFlow Receiver Service [STLWSOLPOLPRD09] is receiving flow data from unmanaged interface '#1634299424' on Router1 and it does not support SNMP. Click the "Add this interface" to manage interface and process its flow data.

In the case of this router alone, these error messages will number in the mid- 6,000s for the day.  Multiple this by at least 6 nodes for which I've noticed this, and it's a lot of processing that the system is doing for what appear to be bogus interfaces in the Netflow data.  This also causes the Windows Application Event log to roll several times per day, as each of these events is logged.  Also, the Netflow service on the poller is dying and restarting multiple times per day, which may or may not be caused by this issues (separate case open for that already).

The only thing I can find common to these nodes is they are all Cisco ISR 4351s.  I could find nothing in Cisco's bug reports related to Netflow and interface indexes, so hoping someone else has encountered this and knows of a fix/workaround.

Many thanks!

  • I recently had the same issue. After looking into I found out that my SNMPv3 encryption method was recently changed on the node I was monitoring but was not changed within NPM. The only was I was able to get rid of those unmanaged interfaces from NTA was to re-add the node with the correct SNMP settings. Without SNMP, NPM can't get the actual name of the interface and when NTA receives traffic from an "unknown interface" it seems to assign it a random number from what I have noticed. I may be wrong about the whole random interface number but what I have above fixed my issues with said case.

  • Ours got fixed after the device was rebooted...I know its not always possible but, it is what worked after looking into the issue for a few months