14 Replies Latest reply on May 26, 2010 2:29 AM by islamm

Detecting flapping devices

GregD Mar 24, 2009 3:25 PM

Hello all :-)

I have my advanced alerts set up to not alert unless a node has been down for 4 minutes, which works well to ward off spurious alerts because of high WAN utilization, etc. However, this can mask a flapping circuit and/or device from us, if if flaps up and down within the 4 minute window. Has anyone found a good way to detect this, and alert on it? I've seen several threads on the forum about it, but none that gave a good answer on how to set up the alerts.

Thanks :)

Re: Detecting flapping devices

tonyled Mar 25, 2009 8:47 AM (in response to GregD)

have you tried setting up traps or a syslog alert?
i set up an alert via syslog to send me an email whenever this happens and it works really well
Like Show 0 Likes(0)

Actions
- Re: Detecting flapping devices
  
  DirtySouth Mar 26, 2009 10:14 AM (in response to tonyled)
  
  That would be really helpful. Would you mind posting your filter configuration?
  
  Like Show 0 Likes(0)
  
  Actions
  - Re: Detecting flapping devices
    
    GregD Mar 26, 2009 11:59 AM (in response to DirtySouth)
    
    X2 - I'd like to see the config. Are you basing the "flap" on getting X number of "Device/Interface up" traps in a specified time period?
    
    Like Show 0 Likes(0)
    
    Actions
    - Re: Detecting flapping devices
      
      neilmborilla Mar 26, 2009 9:52 PM (in response to GregD)
      
      You have to setup the configuration on your network device to forward syslog or events to NPM server.
      
      From syslog console you can configure the ALERTS.
      
      From my experience NPM does not detect or trigger alert when the device or interface flapped,especially in WAN. That's for the syslog to cover the detection
      
      Like Show 0 Likes(0)
      
      Actions
      - Re: Detecting flapping devices
        
        islamm Apr 13, 2010 9:23 AM (in response to neilmborilla)
        
        Following on from above.
        The syslog message of "link flap" is not detected for some certain end devices. Switch log only reports up/down status. Advanced alert manager has been configured to show up/down status but does not pick up the flapping.
        I have also configured syslog alerts to notify me when there is a flapping port based on string "changed to up", "changed to down". Problem is, it reports even when users are pluggin/unpluggin their laptops etc.
        Has anyone found a way to get this reported correctly?
        
        Like Show 0 Likes(0)
        
        Actions
        
        Re: Detecting flapping devices
        
        borgan Apr 13, 2010 11:08 AM (in response to islamm)
        
        Try designating the interface as "unpluggable" in Node Management. That should keep it from being included in down interface alerts.
        
        Like Show 0 Likes(0)
        
        Actions
        
        Re: Detecting flapping devices
        
        islamm Apr 15, 2010 6:04 AM (in response to borgan)
        
        Thanks for the reply. The solution you have suggested I still think it does not really answer the question of detecting a flapping port/interface.
        
        We would like to detect ANY flapping port. Whether this may be a:-
        Uplink
        User interface
        Serial Connection
        Server Interface etc tec
        
        As I understand it from SW, Orion Polling engine cannot pick up any flap detection, hence they had suggested to use SNMP or SYSLOG's to pull the information from. But this presents the problem as described above. If I use either the SNMP TRAP MIB "SNMPv2-MIB:linkUp" or "SNMPv2-MIB:linkdown" or syslog string "changed to up", "changed to down", it will pick up erroneous alerts when multiple users are connecting/disconnecting their machines simultaniously.
        The other problem is, some of the flapping interfaces do not get written to syslog as 'flap' but only reported as up/down. So specifying the 'flap' does not really work for syslog alerts.
        
        By specifying "unplugged", how would that work?
        
        Like Show 0 Likes(0)
        
        Actions
        
        Re: Detecting flapping devices
        
        islamm May 12, 2010 6:43 AM (in response to islamm)
        
        Is anyone able to answer the above? I have not found a solution to this yet. Solarwinds has also been unable to provide any examples of how this would be achieved. This leads me to believe, is this even possible?
        
        The 'unplugged' feature is only to surpress alerts on specified interfaces.
        
        Like Show 0 Likes(0)
        
        Actions
        
        Re: Detecting flapping devices
        
        Questionario May 12, 2010 7:22 AM (in response to islamm)
        
        no, it is not possible (except for alerting on a syslog message that tells you that an interface is flapping of course)
        
        Like Show 0 Likes(0)
        
        Actions
        
        Re: Detecting flapping devices
        
        bshopp May 12, 2010 8:58 AM (in response to islamm)
        
        We added a new feature in v10 for SNMP traps which allows you to define an action to change the status of an interface that was done exactly for this use case.
        
        Like Show 0 Likes(0)
        
        Actions
        
        Re: Detecting flapping devices
        
        islamm May 25, 2010 6:44 AM (in response to bshopp)
        
        I have failed to understand how a basic feature for any network administrator has not been incorparated in any of the previous releases for Solarwinds.
        Anyway, I have managed to get this working in v9.5.1 by use of custom SQL scripting which groups # of flaps by its hostname. This report is then displayed on the home page which refreshes with up to date data every 3 minutes. This works pretty well, but still have not managed to get it emailing out yet.
        
        Like Show 0 Likes(0)
        
        Actions
        
        Re: Detecting flapping devices
        
        bshopp May 25, 2010 8:06 AM (in response to islamm)
        
        If you upgrade to 10 you can use the new feature there and have it email you or use any of the other action available in trap viewer.
        
        Like Show 0 Likes(0)
        
        Actions
Re: Detecting flapping devices

r0berth1 May 25, 2010 3:26 PM (in response to GregD)

In Syslog Viewer i setup an alert and included part of a syslog message that shows *flapping* and set it to alert if it happens 10 times per hour. This has been working fine for me and sends me an email on all flapping that goes on.
Like Show 0 Likes(0)

Actions
- Re: Detecting flapping devices
  
  islamm May 26, 2010 2:29 AM (in response to r0berth1)
  
  Yes thats all good if Cisco switch/router is reporting it as 'flapping' in the logs then syslog on SW would pick it up.
  However, if the logs on the Cisco device is not seeing/reporting it as 'flapping' but only 'up' and 'down' status (10-50 times a minute or >) then syslog does not really work. If I was to use the method you suggested say with a threshold of 20, then syslog would only report back on the instance/message when it hits count 20. Now on count 20, it could be a user plugging in/out etc. There appears to be no way of tieing down the hosts/nodes with their own individual syslog counts in Solarwinds/Syslog application.
  See the problem I was faced with?
  However, I have managed to come up with a solution myself after much looking around and sleepless nights!
  I have created a report with custom SQL which looks in the syslog table and groups the number 'down' messages where the message originated from (i.e. hosts/nodes). I then speicfied a threshold of 60min with 'down' messages > 20. This report is then imported into the home page which gets refreshed every 3min. :)
  
  Like Show 0 Likes(0)
  
  Actions

Go to original post