Submit a ticketCall us

Announcing NCM 7.7
With NCM 7.7, you can examine the rules that make up an access control list for a Cisco ASA device. Then you can apply filters to display only rules that meet the specified criteria, order the rules by line number or by the hit count, and much more.
See new features and improvements.

Home > Success Center > Netflow Traffic Analyzer (NTA) > Netflow showing more bandwidth than NPM charts and allowed by circuit

Netflow showing more bandwidth than NPM charts and allowed by circuit

Table of contents
Created by Joseph Esquitin, last modified by Joseph Esquitin on Mar 03, 2017

Views: 293 Votes: 2 Revisions: 9

Overview

Cases are generated due to Netflow charts showing more bandwidth utilization than NPM interface charts and/or allowed by circuit.  For example a T1 (1.5 Mbps) showing spikes of 10MB or double the traffic

There are a few reasons this can happen.  This can be due to the configuration of the device or interface bandwidth setting in Solarwinds NPM.  The make and model of the device can make a difference on the troubleshooting steps to take.

Environment

  • This applies to any Network device including routers and switches and also any vendor

Steps

Why use “Active timeout “

 

Most devices will have an “active timeout’ setting that will need to be set to 1 minute. NOTE: Cisco ASA firewalls do not support any of these setting so there is nothing that can be done to eliminate the spikes except for version 8.4.5 and 9.1 (2) or higher.

 

For Cisco ASA 8.4 (5) or 9.1 (2) or higher use the following command

 

flow-export active refresh interval  1

 

These commands can be applied to most devices that emulate Cisco IOS softwareNetflow version 5 or standard version 9 the setting below will need to be set as follows to ensure all active flows are exported every 1 minute.  (NOTE: Default is 30 minutes and this causes spikes when there are long lived packets.)

  • router-2621(config)#ip flow-cache timeout active 1

When using Flexible Netflow with a Flow Record the setting should as follows

  • cache timeout active 60  (NOTE this will ensure that all cache data is exported every 1 minute.  Depending on the IOS this could 15-30 minutes)

 

Ingress or Egress

Having the following configurations set on the interfaces will cause the data to be doubled if the customer has multiple interfaces configured as Netflow sources and when comparing the Netflow interface charts  to NPM interface charts

  1. The following commands are configured on multiple interfaces on  the same device.
    • ip flow ingress
    • ip flow egress

 

The rule of thumb is as follows.

When only monitoring one interface on the a device and want data to be displayed in both directions set the following commands on the interested interface

  • ip flow ingress
  • ip flow egress

 

When monitoring multiple interfaces on the same devices then just the following command on all interfaces should be configured where Netflow data is to be collected from.  NOTE: Even though only the ingress command has been enabled data will be collected for both directions since each PDU will contain the input and output interface.

  • Ip flow ingress

 

Check Netflow Sources in NTA settings to ensure the device does not have sampling enabled. If this was set depending on the value this would multiply the data. 

 

If these setting are configured correctly and data is still not being displayed as expected verify that the bandwidth setting for the interface is set properly to match the actual interface speed.

 

  1. Node Mangement
  2. Expand the node in question
  3. Select the interface in question
  4. -Select “Edit Properties”
  5. Verify bandwidth
  6. Set Custom Bandwidth if necessary

 

 

Last modified
18:51, 2 Mar 2017

Tags

Classifications

Public