This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

NTA agreement with router Netflow information

I have a large flow moving through a router:

RouterX#sh ip flow top

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP Bytes
Se0/0:1       216.235.91.31   Fa0/0.134     10.x.y.z   06 0050 0C01    28M

However, if I search for the public IP address in NTA, it shows up only on the next hop router upstream from RouterX, not on router X itself, despite the fact that I have both "ip flow ingress" and "ip flow egress" configured on the serial interface for router X.

Any idea what's wrong here? It seems to me that I should see this traffic in Orion NTA on RouterX as well.

  • I'd add to this that if I look in the "Today" view in NPM, it shows that I've transferred several hundred megabytes across the serial link, but the NTA interface detail shows less than 2 megabytes transferred. Something doesn't add up here...

  • Can you post a screen shot of what you are seeing?

  • Here's the bytes transferred from NPM:

     

     

    And here's the interface details from NTA:

     

     

     

    The interface detail diagram looks like it's showing only the control plane packets.

  • jswan,

    Do you have your ip flow ingress and egress statements configured on the physical serial interface or on your sub-interface.   If you have sub-interfaces configured, it's been my experience that you won't see all your traffic unless you configure the ip flow statements on your sub interfaces.  You also have to monitor the sub-interfaces in Orion.

    Hope this helps!

  • The serial interface has no subinterfaces; everything is configured on the physical interface (the ":0" in the interface name is due to the fact that it's a MFT-T1 card). I tried adding the ip flow commands to the FastEthernet subinterfaces too, but that doesn't make a difference.

  • The problem turned out to be in the NPM module instead of the NTA module. I had all of the interfaces selected in the NTA configuration, but in the NPM configuration only the physical interface was monitored, not the FastEthernet subinterfaces. This caused the NTA statistics for the serial interface to be incorrect because the software didn't know what to do with the FastEthernet subinterface indexes in the Netflow packets. So the moral of the story is to have all interfaces that packets traverse monitored in both NTA and NPM.

  • FYI, one option to consider is navigating to NTA settings area and enabling "Allow monitoring of unmanaged interfaces".   This way if at least one of the interface indexes in the received flows maps to an Orion managed interface, NTA will accept the flow data