5 Replies Latest reply on Aug 11, 2010 11:42 AM by Jan.Krivanek

    Netflow 3.7 RC3 issue.


      We installed NTA 3.7 yesterday on our test environment (NPM V10 SP1)  and we are noticing that Orion is dropping a lot of the packets being sent from the switches.  We are only monitoring the WAN link on the switch and that interface has been added to the test environment but we are only seeing a small percentage of the information we should be seeing.

        This is very much like the issue we used to have before the "Allow monitoring of flows from unmanaged interfaces." was added.  That selection is currently checked but we are still getting information dropped.

        This is Sflow data from HP procurve 5400 switches.   Our live environment is working fine Orion NPM v10 SP1 with NTA 3.6.

        • Re: Netflow 3.7 RC3 issue.

          Is it just Sflow data that is being dropped?

            • Re: Netflow 3.7 RC3 issue.

              Yes just Sflow data.  Other link information within Orion is reporting properly.  For instance NPM is reporting the link currently at 10Mbps while Netflow shows the traffic at 800kbps.

                • Re: Netflow 3.7 RC3 issue.

                  sFlow protocol can use sampling technology to lower the impact of high traffic monitoring. Then you actualy see just the sample of the traffic which can be used to spot top talkers etc. but you would need to multiply the numbers by sampling rate to get approximate results.

                  Your issue seems that there can be sampling in place. If yes then you would need to use sflow sampling command (e.g. sflow <1-3> sampling N, where 1-3 is the sFlow instance, ports list is the port(s) setup for sFlow, and N is the number of sampled packets (to sample every 100 packets set N to 100)).

                  If this is not caused by sampling, then I would suggest collecting sample pcap on the recevier machine, diagnostics, and opening support ticket, so that we can closely investigate your case.


                    • Re: Netflow 3.7 RC3 issue.

                      Again, this is not a new setup by any means on our end.  We have over a thousand nodes on our live system all running just fine on our live system giving acurate information.  On our test system when NTA v3.6 was installed it too was giving acurate information on the small number of nodes we had pointed to it.  This is a new development since the 3.7 install, no config change has been made on the switches themselves.

                       Port  | Sampling                       Dropped    | Polling
                               | Enabled  Rate   Header Samples    | Enabled Interval
                       ----- + -------  --------     ------      ----------  + -------       --------
                       A1      Yes(1)         50    128   22624750   Yes(1)        30
                       A2      Yes(1)         50    128           9391   Yes(1)        30

                      What I am concerned about is since we updated to 3.7 our dropped samples on the monitored interfaces has sky rocketed as you can see from the info from the switch.

                      If you would like I can do a packet trace and open up a ticket.