Submit a ticketCall us

AnnouncementsAre You “Flying Blind?”

When it comes to your complex IT infrastructure, you want to ensure you have a good grasp of what’s going on to avoid any fire drills that result from guesswork. Read our white paper to learn how proactively monitoring your IT environment can help your organization while giving you peace of mind.

Get your free white paper.

Home > Success Center > Netflow Traffic Analyzer (NTA) > NTA - Knowledgebase Articles > Netflow showing more bandwidth than NPM charts and allowed by circuit

Netflow showing more bandwidth than NPM charts and allowed by circuit

Table of contents


Cases are generated due to Netflow charts showing more bandwidth utilization than NPM interface charts and/or allowed by circuit.  For example a T1 (1.5 Mbps) showing spikes of 10 MB or double the traffic

This can be due to the configuration of the device or interface bandwidth setting in Solarwinds NPM.  The make and model of the device can make a difference on the troubleshooting steps to take.


  • Applies to any Network device, including routers, switches, and also any vendor


Why use “Active timeout “


Most devices will have an “active timeout’ setting that will need to be set to 1 minute.

NOTE: Cisco ASA firewalls do not support any of these settings so there is nothing that can be done to eliminate the spikes except for version 8.4.5 and 9.1 (2) or higher.

For Cisco ASA 8.4 (5) or 9.1 (2) or higher, use the following command:

flow-export active refresh interval 1


These commands can be applied to most devices that emulate Cisco IOS software:

For Netflow version 5 or standard version 9, the setting below will need to be set as follows to ensure all active flows are exported every 1 minute.  (NOTE: Default is 30 minutes and this causes spikes when there are long-lived packets.)

  • router-2621(config)#ip flow-cache timeout active 1

When using Flexible Netflow with a Flow Record the following  setting be applied to the Flow Monitor:

  • cache timeout active 60  (NOTE this will ensure that all cache data is exported every 1 minute.  Depending on the IOS this could 15-30 minutes)
    • Example of the final configuration of the "Flow Monitor":

 flow monitor JEENetFlow-MonitorNBAR
 description Original Netflow captures
 record JEENBARipv4
 exporter JEENetFlow-to-OrionNBAR

cache timeout inactive 10
cache timeout active 60
  (In order to export flow data every one minute and avoid high peaks


Ingress or Egress

Having the following configurations set on the interfaces will cause the data to be doubled if the customer has multiple interfaces configured as Netflow sources, and when comparing the Netflow interface charts to NPM interface charts.

The following commands are configured on multiple interfaces on the same device.

  • ip flow ingress
  • ip flow egress


The rule of thumb is as follows

When you only monitor one interface on the device and want data to be displayed in both directions, set the following commands on the interface:

  • ip flow ingress
  • ip flow egress


When you monitor multiple interfaces on the same devices, then just the following command on all interfaces Netflow data are collected from should be configured. Even though only the ingress command has been enabled data will be collected for both directions since each PDU will contain the input and output interface.

  • Ip flow ingress


Check Netflow Sources in the NTA settings to ensure the device does not have sampling enabled. If this was set, depending on the value, this would multiply the data. 


If these setting are configured correctly and data is still not being displayed as expected, verify that the bandwidth setting for the interface is set properly to match the actual interface speed.


  1. Node Mangement
  2. Expand the node
  3. Select the interface
  4. Select Edit Properties
  5. Verify Bandwidth
  6. Set Custom Bandwidth if necessary



Last modified