NTA 4.4.0 flow data from unmanaged interfaces on ASA

I have submitted support case # 00207774 on this.

Hi foonly,

Did you get any resonse to your case?  WE have the same issue at the minute.

Thanks

T

I sent them packet captures.

I missed one WebEx due to higher priority work, and then we had schedule conflicts. Waiting to hear back on the next proposed WebEx.

It's odd that the same ASA works fine with one Orion server, but the other server sees the phantom numbered interfaces. Probably some sort of database linkage problem.

=foon=

Hi foonly,

I have a call open too - Case # - 00210619.

Provided captures, SNMP walk etc.  Most recent update is they have asked us to set the flow-export delay flow-create to 60. I cannot see it making a difference but will set it, to rule it out. The device is a customers so we have to jump through approval hoops to make changes which is slowing things down.

Can you clarify what you mean by it was working with one orion server but not another. Do you mean different Additional Pollers of the same environment or different instances of Orion. 

Have you had any luck recently?

Thanks

Tony

Following.

Tony -

We have 3 separate installs of Orion with NTA 4.4.0. We monitor local 5585s with each, plus one of the other site's 5585s on one site.

• Site A gets the flow data from unamanged interface from ASA A, and from ASA C
• Site B gets the flow data from unamanged interface from ASA B,
• Site C gets no flow data from unamanged interface from ASA C

All 5585's have identical NetFlow settings and are running the same ASA code in multi context mode.

All 3 sites also have smaller model ASAs in single context mode, no flow data from unmanaged interface at all. Same NetFlow setup, same ASA code version.

HTH,

=seymour=

I spent some time with a SolarWinds engineer via Webex. He looked at the live capture via Wireshark, and could not find the phantom interfaces in the flow packets. This convinces me even more that this is not an ASA issue.

He tried uninstalling and reinstalling a couple of modules, and initially, it looked like it had fixed it, but after about 5 or 10 minutes (even though I poll at 1 minute intervals), the events for phantom interfaces started happening again on both servers.

So I'm waiting for advice from him as to the next steps to take.

=Foonly=

Hi foonly​,

Thanks for the update.  I was doing a similar thing this morning and couldn't find the 'phantom' interfaces in the captures either.

The flow captures from the ASA say 'no template found' and in my support case the engineer is saying that means it is an issue with the ASA and for me to contact cisco.

Tony

Thanks to Israel Daiz of SolarWinds, we no longer have the phantom interfaces.

The fix was to uninstall and reinstall the JobEngineV2.msi and CollectorInstaller.msi from C:\ProgramData\Solarwinds\Installers in an elevated cmd window. Be sure to nuke the files in C:\ProgramData\Solarwinds\Collector\Data as specified in the 2nd link below.

https://support.solarwinds.com/Success_Center/Network_Performance_Monitor_(NPM)/Knowledgebase_Articles/Reinstall_rebuild_Solarwinds_Job_Engine_v2

https://support.solarwinds.com/Success_Center/Orion_Platform/Knowledgebase_Articles/Reinstall_or_rebuild_Orion_core_collector_services

I have no clue why 2 out of 3 servers got this problem. I'm sure it has to do with past problems and entropy. I look forward to doing fresh installs of W2K16 on all 3, and reinstalling everything.

=Foon=

Well, after uninstalling the TFTP server that came with the Engineers Toolset from one of my servers and rebooting it to fix inability to download configs via SNMP/TFTP, the phantom ASA NetFlow interface problem came back.

So I'm going to uninstall all SolarWinds software and reinstall it on the affected server. That fixed a different server - well, that one has stayed fixed through at least 1 reboot.

Sigh,

=Foon=