Frequently Asked Questions


Installation

  1. When I try to access the web interface, another web server comes up. How does this happen?
  2. How can I change the MySQL port in NetFlow Analyzer from 13310 to another port?
  3. Can I install and run NetFlow Analyzer as a root user?
  4. Is a database backup necessary, or does NetFlow Analyzer take care of this?
  5. How do I update patch in Linux ?

Router Configuration

  1. Why can't I add a router to NetFlow Analyzer?
  2. My router has been set up to export NetFlow data, but I still don't see it on the Dashboard.
  3. I've deleted a router and all its interfaces through the License Management page but it still comes up on the Dashboard.
  4. What's the difference between unmanaging and deleting an interface?
  5. How to Configure SNMP community in router?
  6. How do I set the router time in SYNC with the NFA server?

Reporting

  1. The graphs are empty
  2. What is Aggregate data and Raw data ? How to set Raw data ?
  3. Some of the applications are labeled as "TCP_App" or something similar. What is that?
  4. Why are only the top 5 or 10 values shown in the reports? What if I want more detail?
  5. The graphs show only IN traffic for an interface, although there is both IN and OUT traffic flowing through that interface. Why's that?
  6. Why are some interfaces labeled as IfIndex2,IfIndex3, etc.?
  7. The total bandwidth usage seems to decrease depending on the length of the report.Why is that?

NBAR

  1. Which features are not supported by NBAR?
  2. Any restrictions on where we can configure NBAR?
  3. What Does NBAR Performance Depend On?
  4. Is performance dependent on the number of interfaces that NBAR is enabled on? Does the link speed of the interface(s) that NBAR is enabled?
  5. I am able to issue the command "ip nbar protocol-discovery" on the router and see the results. But NFA says my router does not support NBAR, Why?
  6. How do I verify whether my router supports CISCO-NBAR-PROTOCOL-DISCOVERY-MIB?

V9

  1. What is NetFlow Version 9?
  2. What is the memory impact on the router?
  3. "Receiving non V5/V7/V9 packets from the following devices: Click here for further details.." What does this mean?
  4.  Is version 9 backward compatible ?
  5. What is the performance impact of V9?
  6. What are the restrictions for V9?
  7. How do I configure NetFlow Version 9?

Technical Information

  1. How is traffic information stored in the NetFlow Analyzer database?
  2. How do I reset the admin password ?
  3. How are ports assigned as applications in NetFlow Analyzer?
  4. Do I have to reinstall NetFlow Analyzer when moving to the fully paid version?
  5. How many users can access the application simultaneously?
  6. NetFlow Analyzer logs out after a period of inactivity. How do I avoid that?
  7. How to create DBInfo log file ?
  8. Why the interface shows 100% utilization ?
  9. What information do I need to send to NFA support for assistance?
  10. How to safely migrate NFA installation to different machine ?
  11. What do I do if my NFA server becomes slow ? (or) How do I improve my NFA system performance ?
  12. Why NFA says router time not is SYNC and stops collecting data ?

Back

Installation

  1. When I try to access the web interface, another web server comes up. How does this happen?

    During installation, NetFlow Analyzer checks if the selected port is in use by another application. If at that time, the other webserver was down, it will not get detected. Either disable the other web server, change its server port, or change the NetFlow Analyzer web server port.

  2.  
  3. How can I change the MySQL port in NetFlow Analyzer from 13310 to another port?

    Edit the mysql-ds.xml file in the /server/default/deploy directory. Change the port number in the line jdbc:mysql://localhost:13310/netflow to the desired port number, save the file, and restart the server.

  4.  
  5. Can I install and run NetFlow Analyzer as a root user?

    NetFlow Analyzer can be installed and started as a root user, but all file permissions will be modified and later you cannot start the server as any other user.

  6.  
  7. Is a database backup necessary, or does NetFlow Analyzer take care of this?(or)How to back-up data in NetFlow Analyzer ?

    NetFlow Analyzer includes a database backup utility that you can use to make a backup of the database.There are 2 ways of backup :
     

    1. You can execute the script "backupdb.bat" / "backupdb.sh" which can be found under $NETFLOW_HOME/troubleshooting. This will created a back up of the database in a zip format. When you want to restore. You have to extract the zip to the $NETFLOW_HOME directory. This is a slow process.
    2.  
    3. You can copy the folder $NETFLOW_HOME/mysql/data to a different location and to restore you can copy it back to the same location. This is a fast process.
    In both the above process the version of NFA should be the same.
     
     
  8. How do I update patch in Linux ?
     

    Please use the command "sh UpdateManager.sh -c" and follow the instructions to upgrade NetFlow Analyzer.

Back

Router Configuration

  1. Why can't I add a router to NetFlow Analyzer?

    NetFlow Analyzer does not choose which routers or interfaces to monitor. Devices are auto-discovered. All you need to do is set up your interfaces to send NetFlow data to the specified port on NetFlow Analyzer. Once NetFlow Analyzer starts receiving NetFlow data, you can see the device and its interfaces listed on the Dashboard.

  2.  
  3. My router has been set up to export NetFlow data, but I still don't see it on the Dashboard.

    There are a number of things you can check here:

  4.  
  5. I've deleted a router and all its interfaces through the License Management page but it still comes up on the Dashboard.

    This happens because NetFlow packets are still being received from that router. Unless you configure the router itself to stop exporting NetFlow data to NetFlow Analyzer it will reappear on the Dashboard
  6. Back

  7. What's the difference between unmanaging and deleting an interface? (or) When do I unmanage a device and when do I delete it from the License Management page?

    If you need to temporarily stop monitoring a router/interface, unmanage it from License Management. In this case, the router/interface is still shown under License Management.

    If you need to permanently stop monitoring a router/interface, disable NetFlow exports from the interface/router and then delete it from License Management.In this case, the router/interface is not displayed on any of the client screens unless new flows are sent from it.

  8.  
  9. How to Configure SNMP community in router?
  10. For configuring SNMP, follow the steps below

    1. Logon on to the router.
    2. Enter into the global configuration mode
    3. Type the command snmp-server community public RO ( to set public as Read-Only community )
    4. Press ctrl and Z
    5. Type the command write mem
     

  11. How do I set the router time in SYNC with the NFA server?

    Whenever the time difference between the NetFlow Analyzer Server and the router is above 10 minutes a warning icon will appear in the home page. When this happens, NetFlow Analyzer will stamp the flows based on the system time of the NetFlow Analyzer server. In case you see this, please ensure the following on the router:

    1. Check if the time zone and the offset (in Hours and Minutes) for the time zone is set properly (E.g. PST -8 00 for PST or EST -5 00 for EST). You can check this by logging into the router, going into the configure terminal and typing show running-config. You can set the clock time zone and offset using the command clock timezone zone hours [minutes] (E.g. clock timezone PST -8 00)

    2. After checking the time zone, check if the correct time is set on your router. You can check this by logging into the router and typing show clock. You can set the clock time using the command clock set hh:mm:ss date month year. [ A sample - clock set 17:00:00 27 March 2007] There is no queueing mechanism done on heavy periods.

Reporting

  1. The graphs are empty

    Graphs will be empty if there is no data available. If you have just installed NetFlow Analyzer, wait for at least ten minutes to start seeing graphs. If you still see an empty graph, it means no data has been received by NetFlow Analyzer. Check your router settings in that case.

  2.  
  3. What is Aggregate data and Raw data ? How to set Raw data ?

    As far as aggregated data is concerned, NetFlow Analyzer maintains the top 'n' flows for every ten minutes slot. The record count determines this 'n' values. By default it is set to 50. You may set your own criteria for this purpose. you can change this from the Settings option.

    Apart from this NetFlow Analyzer allows you to store raw data (all flows -not just the top n) for upto one month.

    1. Aggregated data is stored in 5 levels of tables - 10 Min, Hourly, 6 Hour, 24 Hour and Weekly tables and reports for different periods need to access the corresponding table. For example, very recent reports need to access the 10 Min table and old reports need to access the Weekly table. You can access the table MetaTable to determine the table which contains data for the required time period

    2. Raw data is stored in dynamically created tables and data pertaining to different devices (routers) reside in different table for different periods of time. You can access the table RawMetaTable to determine the table which contains data for the required report.
     

  4. Some of the applications are labeled as "TCP_App" or something similar. What is that?

    If an application is labeled as "TCP_App" or something similar, it means that NetFlow Analyzer has not recognized this application (i.e.) the combination of port and protocol is not mapped as any application. Once you add these applications under Application Mapping they will be recognized.
  5. Back

  6. Why are only the top 5 or 10 values shown in the reports? What if I want more detail?

    NetFlow Analyzer shows the top 50 results in all reports by default. You can see up to 100 results in each report by changing the Record Count value in the Settings page.
  7.  
  8. The graphs show only IN traffic for an interface, although there is both IN and OUT traffic flowing through that interface. Why's that?

    Check if you have enabled NetFlow on all interfaces through which traffic flows. Since NetFlow traffic accounting is ingress by default, only IN traffic across an interface is accounted for. To see both IN and OUT traffic graphs for an interface, you need to enable NetFlow on all the interfaces through which traffic flows.
  9. Why are some interfaces labeled as IfIndex2,IfIndex3, etc.?

    This happens if the device/interface has not responded to the SNMP requests sent by NetFlow Analyzer. Check the SNMP settings of the interface or manually edit the interface name from the Dashboard. NetFlow Analyzer uses port 161, and the public community string as default SNMP values. If the SNMP settings of your device are different, click the Edit icon next to the device/interface in the Dashboard Interface View to change the values. If you need to change this globally, enter the new values in the same fields under Settings.

  10.  
  11. The total bandwidth usage seems to decrease depending on the length of the report. Why is that?

    NetFlow Analyzer aggregates older data in less granular format and due to this reason some of the spikes may not show in older reports. While reports pertaining to last day is generated from tables with 10 minute granularity, reports pertaining to last week is generated from tables with 1 hour granularity

    For example, data in 10 minute table pertaining to 10:00, 10:10, 10:20, 10:30, 10:40 and 10:50 would all be aggregated and moved into hourly data tables for one data point pertaining to 10:00.

    While the total data volumes is correct, the traffic rates will be averaged over this period. So:

    10:00 -> volume transferred 100MBytes, ten minute average rate 1,333Kbits/s
    10:10 -> volume transferred 1MByte, ten minute average rate 13.3Kbits/s
    10:20 -> volume transferred 1MByte, ten minute average rate 13.3Kbits/s
    10:30 -> volume transferred 1MByte, ten minute average rate 13.3Kbits/s
    10:40 -> volume transferred 1MByte, ten minute average rate 13.3Kbits/s
    10:50 -> volume transferred 1MByte, ten minute average rate 13.3Kbits/s

    When aggregated into the one hour table, we get:

    10:00 -> volume transferred 105MBytes, one hour average rate 233Kbits/s

    The spike up to 1,333Kbits/s has been lost by this averaging process; as the data get aggregated into longer and longer time periods, so this average value will decrease further.

    This is the reason for the reduction in the reporting of bandwidth usage over time.

Back

NBAR

  1. Which features are not supported by NBAR ?

    The following features are not supported by NBAR:
  2.  
  3. Any restrictions on where we can configure NBAR?

    You can't configure NBAR on the following logical interfaces:

    Note: NBAR is configurable on VLANs as of Cisco IOS Release 12.1(13)E, but supported in the software switching path only.

  4. Back

  5. What Does NBAR Performance Depend On?

    Several factors can impact NBAR performance in software-based execution.

    A. Router Configuration
    1. Number of protocols being matched against it
    2. Number of regular expressions being used
    3. The complexity of packet inspection logic required

    B. Traffic Profile (Packet Protocol Sequence)
    1. The number of flows
    2. Long duration flows are less expensive than shorter duration flows
    3. Stateful protocol matches are more performance impacting than static port applications

  6.  
  7. Is performance dependent on the number of interfaces that NBAR is enabled on? Does the link speed of the interface(s) that NBAR is enabled on affect performance ?

    No. NBAR performance is not dependent on the number of interfaces that NBAR is enabled on or the link speed of those interfaces. Performance is dependent on the number of packets that the NBAR engine has to inspect, how deep into the packet it has to look to perform regular inspection.
  8.  
     
  9. I am able to issue the command "ip nbar protocol-discovery" on the router and see the results. But NFA says my router does not support NBAR, Why?

    Earlier version of IOS supports NBAR discovery only on router. So you can very well execute the command "ip nabr protocol-discovery" on the router and see the results. But NBAR Protocol Discovery MIB(CISCO-NBAR-PROTOCOL-DISCOVERY-MIB) support came only on later releases. This is needed for collecting data via SNMP. Please verify that whether your router IOS supports CISCO-NBAR-PROTOCOL-DISCOVERY-MIB.
  10.  
     
  11. How do I verify whether my router supports CISCO-NBAR-PROTOCOL-DISCOVERY-MIB?

    a) You can check CISCO-NBAR-PROTOCOL-DISCOVERY-MIB supported platforms and IOS using the follwoing link. http://tools.cisco.com/ITDIT/MIBS/AdvancedSearch?MibSel=250073

    b) Alternately , you can execute "show snmp mib | include cnpd " command at router to know the implemeted mib objects in the router. If the router supports CISCO-NBAR-PROTOCOL-DISCOVERY-MIB, then the above command gives the following objects.

    cnpdStatusEntry.1
    cnpdStatusEntry.2
    cnpdAllStatsEntry.2
    cnpdAllStatsEntry.3
    cnpdAllStatsEntry.4
    cnpdAllStatsEntry.5
    cnpdAllStatsEntry.6
    cnpdAllStatsEntry.7
    cnpdAllStatsEntry.8
    cnpdAllStatsEntry.9
    cnpdAllStatsEntry.10
    cnpdAllStatsEntry.11
    cnpdAllStatsEntry.12
    cnpdTopNConfigEntry.2
    cnpdTopNConfigEntry.3
    cnpdTopNConfigEntry.4
    cnpdTopNConfigEntry.5
    cnpdTopNConfigEntry.6
    cnpdTopNConfigEntry.7
    cnpdTopNConfigEntry.8
    cnpdTopNStatsEntry.2
    cnpdTopNStatsEntry.3
    cnpdTopNStatsEntry.4
    cnpdThresholdConfigEntry.2
    cnpdThresholdConfigEntry.3
    cnpdThresholdConfigEntry.4
    cnpdThresholdConfigEntry.5
    cnpdThresholdConfigEntry.6
    cnpdThresholdConfigEntry.7
    cnpdThresholdConfigEntry.8
    cnpdThresholdConfigEntry.9
    cnpdThresholdConfigEntry.10
    cnpdThresholdConfigEntry.12
    cnpdThresholdHistoryEntry.2
    cnpdThresholdHistoryEntry.3
    cnpdThresholdHistoryEntry.4
    cnpdThresholdHistoryEntry.5
    cnpdThresholdHistoryEntry.6
    cnpdThresholdHistoryEntry.7
    cnpdNotificationsConfig.1
    cnpdSupportedProtocolsEntry.2

Back

V9

  1. What is NetFlow Version 9?

    This format is flexible and extensible , which provides the versatility needed to support new fields and record types. This format accommodates new NetFlow-supported technologies such as NAT, MPLS,BGP next hop and Multicast.The main feature of Version 9 Export format is that it is template based.
  2. Back

  3. What is the memory impact on the router due to V9?

    The memory used depends upon the data structures used to maintain template flowsets. As the implementation does not access the NetFlow cache directly the memory used is not very high.
  4.  
     
  5. "Receiving non V5/V7/V9 packets from the following devices: Click here for further details.." What does this mean?

    If you get this message on the user interface, it means that NetFlow packets with versions other than version 5/7/9, are being received by NetFlow Analyzer. Check your router settings to make sure that only version 5/7/9 NetFlow exports are being sent to NetFlow Analyzer. This is because NetFlow Analyzer supports only NetFlow version 5/7/9 exports.
  6.  
     
  7. Is version 9 backward compatible ?

    Version 9 is not backward-compatible with Version 5 or Version 8. If you need Version 5 or Version 8, then you must configure Version 5 or Version 8.
  8.  
     
  9. What is the performance impact of V9?

    Version 9 slightly decreases overall performance, because generating and maintaining valid template flowsets requires additional processing.
  10.  
     
  11. What are the restrictions for V9?

    Version 9 allows for interleaving of various technologies. This means that you should configure Version 9 if you need data to be exported from various technologies (such as Multicast, DoS, IPv6, BGP next hop, and so on).
  12.  
     
  13. How do I configure NetFlow Version 9?

    Please refer the following document for configuring netflow version 9 http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a00805e1b4a.html
  14.  

Back

Technical Information

  1. How is traffic information stored in the NetFlow Analyzer database?

    For each report, NetFlow Analyzer stores traffic information in a different manner. The following tables describe the data storage pattern for the various reports generated by NetFlow Analyzer.
  2. Back

  3. How do I reset admin password?

    Please ensure that the server is running before doing the below steps:

    1. Open a command prompt
    2. Go to the \mysql\bin directory
    3. Type mysql -u root --port=13310
    4. Type use netflow
    5. Execute the following query:
      update AaaPassword, AaaLogin, AaaAccount, AaaAccPassword setAaaPassword.PASSWORD='Ok6/FqR5WtJY5UCLrnvjQQ==', AaaPassword.SALT='12345678' where AaaLogin.LOGIN_ID = AaaAccount.LOGIN_ID and AaaAccount.ACCOUNT_ID =AaaAccPassword.ACCOUNT_ID and AaaPassword.PASSWORD_ID =AaaAccPassword.PASSWORD_ID and AaaLogin.NAME = 'admin' ;
    6. Type quit to quit mysql
    7. Type exit to exit command prompt
    8. Login as admin / admin. You can change the password again if you wish.
  4. How are ports assigned as applications in NetFlow Analyzer?

    A NetFlow export contains information on the protocol, source port, and destination port. When a flow is received, NetFlow Analyzer tries to match the port and protocol in the flow, to an application in the following order:  
    If a matching application is still not found, then depending on the protocol received in the flow, the application is listed as <protocol>_App. (eg.) TCP_App if a flow is received with TCP protocol, and unmatched source and destination ports. If the protocol received in the flow is also not recognized by NetFlow Analyzer, the application is listed as Unknown_App.

    A single flow can be categorized as a single application only. In case of a conflict, applications with an exact match for the port number will be accounted for.

  5.  

    Back

  6. Do I have to reinstall NetFlow Analyzer when moving to the fully paid version?

    No, you do not have to reinstall or shut down the NetFlow Analyzer server. You just need to enter the new license file in the Upgrade License box.
  7.  
  8. How many users can access the application simultaneously?

    This depends only on the capacity of the server on which NetFlow Analyzer is installed. The NetFlow Analyzer license does not limit the number of users accessing the application at any time.
  9.  
  10. NetFlow Analyzer logs out after a period of inactivity. How do I avoid that?

    You can change the time-out value to a higher value than the default ( 30 minutes ) by increasing the parameter session-timeout.

    <session-config>
    <session-timeout>30</session-timeout>

    </session-config>

    under <NFA_Home>/AdventNet/ME/NetFlow/server/default/conf/web.xml

    Change the value 30 to your desired time-range - say, 600. You will have to restart NFA server for this to take effect.

  11.  
  12. How to create DBInfo log file ?
  13. 1. Please ensure that NFA is running.
    2. Navigate to /Troubleshooting directory and execute the file DBInfo.sh / DBInfo.bat
    3. It creates a "Info.log" file in the same folder. Please send us the "info.log" file.

     
  14. Why the interface shows 100% utilization ?
  15. Please refer this link for a brief explanation of 100% utilization:
    http://forums.manageengine.com/?ftid=49000002654747

     
  16. What information do I need to send to NFA support for assistance?

    1. Please run your logziputil.bat / logziputil.sh (under the troubleshooting folder). This will create a zip file under the support folder please send us the zip file.
    2. Send us the .err file under the Mysql\data folder.
    3. Also send your Machine configuration.
     

  17. How to safely migrate NFA installation to different machine ?

    Please follow the steps below to move your installation,
    1. Copy the data folder in /mysql folder of the installation that you wish to move, to a safe location.
    2. Install NetFlow Analyzer in the new location, start it once and shut it down.
    3. Replace the data folder in /mysql folder of the new installation with the data folder of the old installation.
    4. Start NetFlow Analyzer.
     

  18. What do I do if my NFA server becomes slow ? (or) How do I improve my NFA system performance ?
  19.  
    Please refer this link for a brief note on database tuning :http://forums.manageengine.com/?ftid=49000002654617
  20. Why NFA says router time not is SYNC and stops collecting data ?
  21.  
    Please follow these steps to fix this issue:
    1. In case you see this, please ensure the following on the router:Check if the correct time is set on your router.
      You can check this by logging into the router and typing show clock. You can set the clock time using the command clock set hh:mm:ss month date year. Check if the time zone and the offset (in Hours and Minutes) for the time zone is set properly (E.g. PST -8 00 for PST or EST -5 00 for EST). You can check this by logging into the router, going into the configure terminal and typing show running-config. You can set the clock time zone and offset using the command clock timezone zone hours [minutes] (E.g. clock timezone PST -8 00)
    2. The time sync issue may be related to high CPU load and reducing the IP group can help. Each address / range / network will be checked seperately. So, 4 addresses of 10.10.10.1, 10.10.10.2, 10.10.10.3 and 10.10.10.4 will add more overload than creating the same as a single IP range of 10.10.10.1 to 10.10.10.4. While associating interfaces you are better off selecting "All interfaces" wherever appropriate since in that case no check will be done with the interface in the flow. In your case, since you had 180 interfaces associated, the code had to check for these 180 interfaces in each flow received.
     
     

    Back

Copyright © 2008, ZOHO Corp. All Rights Reserved.
ManageEngine