3 Replies Latest reply on Dec 23, 2016 9:46 AM by jxchappell

    Unknown Traffic from IP that is already the IP of Managed Node

    Steve Dolinsky

      I noticed the following event in our event logs;

       

       

       

       

      I checked documentation and there are two solutions:

       

      NTA events for unmanaged device - SolarWinds Worldwide, LLC. Help and Support :

      1. Change the Polling IP address in Orion that is managing the device to match the IP address the flow is coming from.

                Example:  Netflow Export IP address 10.1.2.3

      OR

         2. Change or enter the following command with the interface that contains the IP address NPM is managing the device by:

                ip flow-export source interface with IP address 10.1.2.3

       

       

       

      I followed the 1st solution and I went to go check the polling IP address and found that the IP matches the "unknown" IP.

      I also confirmed that netflow was enabled for node and interfaces.

       

      Does anyone know how to force NTA to resolve the "unknown" traffic to the correct IP?

       

       

        • Re: Unknown Traffic from IP that is already the IP of Managed Node
          yaquaholic

          Bump....

           

          I too have two devices, both fully monitored in NPM, that NTA is declaring as unknown sources.

          Both of these nodes that are displaying this issue are all NAT addresses, could that be the problem?

          • Re: Unknown Traffic from IP that is already the IP of Managed Node
            jxchappell

            Funny enough I have spent the last 2 weeks trying to figure this out and I believe I have a solution

             

            What I did was, manage the device(s) that show up in that event list...I was able to discover them and add them to NPM a second time...it seems counter-intuitive but it will start collecting data from NTA on that device

             

            The reason for this, at least in our environment, after talking with a Network Engineer here, we were sending Netflow data out of a VRF interface on the Node...this seemed to also be crashing the Netflow service on my pollers...as of this morning, the service has not crashed in 2 days and I am receiving full data...I'm not sure if this is happening to you but if you check the Netflow data around the time of the message coming in, you might see a minute or two of missing data while the service recovers on the collector

             

            We are planning on changing the flow data to go through the loopback interface and see what that does...that way if it works on the original nodes, I can remove the duplicate second nodes I added after seeing the message in the Events for NTA.  For what its worth this seems to be affecting 3 of our ~150 nodes we monitor through Netflow alone...we have ~2000 nodes in NPM

             

            I do have a ticket open with SW on this...and they have some other ideas but I might be sticking with where I am right now.

             

            We are running NTA 4.1.2 with NPM 12.0.1...no hotifxes on NTA

             

            Let me know if you have any more detailed questions you want answered

             

            Jason