Submit a ticketCall us

Systems Monitoring for Dummies
Our new eBook will teach you the fundamentals and help you create monitors and alerts that are effective, meaningful, and actionable. Monitoring is more than a checkbox on your to-do list. This free eBook will give you practical advice to help you succeed in all aspects of monitoring – discovery, alerting, remediation, and troubleshooting. Don’t miss out on this indispensable resource for newbies, experienced IT pros, and everyone in between. Register Now.

Home > Success Center > Netflow Traffic Analyzer (NTA) > Netflow showing more bandwidth than NPM charts and allowed by circuit

Netflow showing more bandwidth than NPM charts and allowed by circuit

Table of contents

Overview

Cases are generated due to Netflow charts showing more bandwidth utilization than NPM interface charts and/or allowed by circuit.  For example a T1 (1.5 Mbps) showing spikes of 10 MB or double the traffic

This can be due to the configuration of the device or interface bandwidth setting in Solarwinds NPM.  The make and model of the device can make a difference on the troubleshooting steps to take.

Environment

  • Applies to any Network device, including routers, switches, and also any vendor

Steps

Why use “Active timeout “

 

Most devices will have an “active timeout’ setting that will need to be set to 1 minute.

NOTE: Cisco ASA firewalls do not support any of these settings so there is nothing that can be done to eliminate the spikes except for version 8.4.5 and 9.1 (2) or higher.

For Cisco ASA 8.4 (5) or 9.1 (2) or higher, use the following command:

flow-export active refresh interval 1

 

These commands can be applied to most devices that emulate Cisco IOS software:

For Netflow version 5 or standard version 9, the setting below will need to be set as follows to ensure all active flows are exported every 1 minute.  (NOTE: Default is 30 minutes and this causes spikes when there are long-lived packets.)

  • router-2621(config)#ip flow-cache timeout active 1

When using Flexible Netflow with a Flow Record the following  setting be applied to the Flow Monitor:

  • cache timeout active 60  (NOTE this will ensure that all cache data is exported every 1 minute.  Depending on the IOS this could 15-30 minutes)
    • Example of the final configuration of the "Flow Monitor":

 flow monitor JEENetFlow-MonitorNBAR
 description Original Netflow captures
 record JEENBARipv4
 exporter JEENetFlow-to-OrionNBAR

cache timeout inactive 10
cache timeout active 60
  (In order to export flow data every one minute and avoid high peaks

 

Ingress or Egress

Having the following configurations set on the interfaces will cause the data to be doubled if the customer has multiple interfaces configured as Netflow sources, and when comparing the Netflow interface charts to NPM interface charts.

The following commands are configured on multiple interfaces on the same device.

  • ip flow ingress
  • ip flow egress

 

The rule of thumb is as follows

When you only monitor one interface on the device and want data to be displayed in both directions, set the following commands on the interface:

  • ip flow ingress
  • ip flow egress

 

When you monitor multiple interfaces on the same devices, then just the following command on all interfaces Netflow data are collected from should be configured. Even though only the ingress command has been enabled data will be collected for both directions since each PDU will contain the input and output interface.

  • Ip flow ingress

 

Check Netflow Sources in the NTA settings to ensure the device does not have sampling enabled. If this was set, depending on the value, this would multiply the data. 

 

If these setting are configured correctly and data is still not being displayed as expected, verify that the bandwidth setting for the interface is set properly to match the actual interface speed.

 

  1. Node Mangement
  2. Expand the node
  3. Select the interface
  4. Select Edit Properties
  5. Verify Bandwidth
  6. Set Custom Bandwidth if necessary

 

 

Last modified

Tags

Classifications

Public