1 Reply Latest reply on Sep 18, 2014 7:18 AM by peter.ksenzsigh

    Strange behavior with Watch List alert

    patriot

      I am seeing some strange and apparently incorrect behavior with the default Watch List alert in UDT.

       

      I added the MAC address for three employees' smartphones to the UDT watch list. The Layer 2 and 3 polling jobs run every 60 minutes.

       

      The alert seems to be very late in being sent and even triggers when the phone has been out of the building (and off the network) for quite a while. Another example... I arrived at work three hours ago, at which point my phone attached to the WiFi, but I have yet to get an alert saying my phone has been detected.

      One employee left the office at approx. 9:45AM, and I got an alert at 10:06AM saying his phone was detected. The "Last Seen" data for the phone had a time value of 9:51AM. How can the phone have been detected if it had been off the network for 6 minutes? Why 15 minutes to get the alert? Does this all go back to the intervals for the UDT polling jobs? Could it be related to stale information from the switch being polled?

       

      Thanks for any help.

        • Re: Strange behavior with Watch List alert
          peter.ksenzsigh

          Hi Patriot,

          once polling detects a device, the alert should be sent immediately. Polling interval however defines the time when the device can be detected unless SNMP traps are enabled.. Reason for the alert being sent even if the device is already gone could be too long ARP table flush interval in combination with long polling interval...

          Is there any problem in making the polling shorter?

          Peter