Welcome to the Readme for CA Network Flow Analysis 9.2.1. This readme contains issues and other information that was discovered after publication of the regular documentation set. The latest version of the Readme is available in the Recommended Reading section on the CA Network Flow Analysis (ReporterAnalyzer) page at CA Support.

The documentation may have been updated since its release. To get the latest CA Network Flow Analysis documentation updates and localized documentation, download the Bookshelf and Readme files from CA Support.

2.0 Product Documentation

CA provides a full set of technical documentation.

This Readme file contains the most recent list of known issues and workarounds. We recommend downloading the latest version of the Readme file and Release Notes from CA Support Online.

You can open the documentation from the Documentation Bookshelf. Access the bookshelf from the Help menu in the CA Network Flow Analysis user interface. To obtain the latest bookshelf, go to CA Support Online.

Use the online Help system when you need more information about administration tasks and user tasks.

3.0 Known Issues

The following known issues apply to the current release of CA Network Flow Analysis.

3.1 Browser Support

Browser installation is optional for the servers that host the stand-alone and NFA console software. If you install a browser on an installation server, make sure that it is Microsoft Internet Explorer version 8.

Browser installation is required for client systems that log in to the NFA console. We recommend using Microsoft Internet Explorer version 8. The following browser versions have known issues:

Microsoft Internet Explorer version 9 - The Log In dialog and screen may have display artifacts:
- The Log In button text may be white, although the button is functional. The Log In button is located in the bottom right corner of the dialog and has a blue box around it. If you position your cursor inside the box, the cursor changes to Hand mode. The log in function is active whenever the cursor is in Hand mode.
- The screen behind the Log In dialog may not be rendered in a uniform blue color.
Microsoft Internet Explorer version 10 - If you save reports as PDF files or set up scheduled reports to send PDF files, the PDFs are not searchable. The PDFs are rendered as pictures, which do not include searchable text.

3.2 Requirements for Naming Custom Installation Directories

If you install CA Network Flow Analysis software to a custom directory, make sure that no spaces are included in the installation path or directory name. In addition, use English alphanumeric characters. Non-English characters are not supported.

If you install CA Network Flow Analysis in an environment that is localized for Chinese or Japanese, make sure that you use only ASCII characters for directories in the installation path.

The installation will complete without any easily detected warnings in spite of the invalid path or directory names. Problems occur when you start to use the software, however.

3.3 Installation and Upgrade Pre-Requisite Checks

Several pre-requisite checks are performed during an installation or upgrade to help you avoid failure. The pre-requisite checks are designed to detect some obvious problems, but the checks are not comprehensive. You are responsible for preparing and configuring your servers as described in the CA Network Flow Analysis 9.2.1 Installation Guide and the CA Network Flow Analysis 9.2.1 Upgrade Guide.

3.4 Upgrade Support

Upgrades to CA Network Flow Analysis 9.2.1 are supported with the following conditions:

You can upgrade CA Network Flow Analysis release 9.2.0 directly to release 9.2.1.
For more information about upgrade support, software co-location, and the option to use CA Performance Center or CA NetQoS Performance Center, see the Release Notes for CA Network Flow Analysis and CA Anomaly Detector.
Windows NT LAN Manager (NTLM) is not supported.

3.5 Uninstallation Support

The Uninstall option has the following limitations:

The Uninstall option cannot remove the product if it has been upgraded at any point from CA NetQoS ReporterAnalyzer 9.0.1 (9.0 upgrade 1). The Uninstall program completes successfully, but leaves the system in a state that does not support successful reinstallation of the software. In this case, the Custom Storage Engine (NetQoS NQMySql51) service cannot be started.
To recover from this situation, re-image the system and re-install the software.
We support using the Uninstall for new installations and for software that has been upgraded from CA Network Flow Analysis versions 9.1.00 through 9.2.0.
The Uninstall option can remove the MySQL software only if CA Network Flow Analysis was installed before any other related software.
Other related software that is co-installed with CA Network Flow Analysis is disabled by uninstalling CA Network Flow Analysis.
Some directories and files are not removed during uninstallation (such as \CA\NFA). You have the option to remove these directories and files manually.
On a singlebox installation, running the Console uninstall removes files necessary for the Harvester to run (such as the JRE). To switch from a singlebox installation to a Harvester-only installation, you need to uninstall everything and then re-install the Harvester.
After an uninstall and attempted reinstall, the CA Network Flow Analysis 9.2.1 Console is unreachable. In order to successfully reinstall CA Network Flow Analysis after an uninstallation on the same system:
1. In the Control Panel, Folder Options, View tab, Advanced Settings select Show hidden files, folders, and drives.
2. Navigate to
  C:\Program Files\Zero G Registry\
3. Rename
  .com.zerog.registry
  
  to
  
  .com.zerog.registry_backup
4. If running the singlebox (stand-alone) configuration, run the Harvester installer.
5. Run the Console installer.
6. Delete the newly created
  .com.zerog.registry
7. Rename
  .com.zerog.registry_backup
  
  to
  
  .com.zerog.registry

3.6 Error Opening CA NetQoS Performance Center

An error message may open when you attempt to log in to the Single Sign-On program or click the NPC link in the NFA console under the following conditions:

CA Network Flow Analysis and CA NetQoS Performance Center 6.1 are installed on the same system
CA NetQoS Performance Center 6.1 was installed after CA Network Flow Analysis

In this case a Page Not Found (404) error opens. The program cannot locate the CA NetQoS Performance Center Console because a mixture of forward and backward slashes are used in some directory paths.

Note: This issue applies to deployments that include CA NetQoS Performance Center. If your deployment includes CA Performance Center, this issue does not apply to you.

Workaround:

Complete the following steps to define in the virtual path directories with backward slashes.

Log in to the NFA console server as a user with administrator privileges.
Open the Internet Information Services (IIS) Manager: Select Start, Administrative Tools, Internet Information Services (IIS) Manager.
Expand the tree in the left pane to display the virtual directories:
1. Click the plus sign next to the server name.
2. Expand the Sites node.
  The virtual directories appear at the end of the list.
Select one of the virtual directories (for example, ProxyServices).
Click the Basic Settings link in the right pane.
The Edit Application dialog opens.
Replace any forward slashes in the Physical path value with backward slashes.
Click OK to save any changes you made.
Repeat the steps to make the correction for each remaining virtual directory.

3.7 'Access Denied' Error for LDAP Users

Users with LDAP-generated accounts may get an "Access Denied" error message when they attempt to log in or to drill in to CA Network Flow Analysis from Performance Center. The problem can be caused by one of the following conditions:

The SSO LDAP configuration is set up with inadequate product permissions to allow access.
An administrator configures the Single Sign-On program to enable the automatic creation of user accounts at LDAP sign-in. If the configuration is modeled on a user account that lacks the proper product permissions, the LDAP users who are created cannot drill in to the NFA console from Performance Center.
The LDAP user attempts to drill in before the account information is synchronized between the products. LDAP users acquire product permissions when synchronization is complete.
The LDAP user attempts to log in to the NFA console before logging in to the Performance Center Console. To create an LDAP-generated user accounts properly, users first must log in to the Performance Center Console. If you attempt to log in to the NFA console first and are denied access, log in to the Performance Center Console, then wait for your user account data to be synchronized with the NFA console.
The user account was created from a properly configured LDAP model, but the user account was changed later in a way that blocks access.
An outdated SSO LDAP configuration is in use, which has not been updated since the deployment was upgraded from CA NetQoS ReporterAnalyzer release 9.0.1. Reconfigure the SSO LDAP settings as described in the Single Sign-On User Guide.

Complete the following tasks to ensure that LDAP users can drill in:

Configure the LDAP settings for the Single Sign-On (SSO) program. For information about this task, download the Single Sign-On User Guide from the appropriate Performance Center Bookshelf. If you need further assistance, contact CA Support.
Verify that the LDAP settings can be used to authenticate users successfully, as described in the topic 'Validate LDAP Settings' in the Single Sign-On User Guide.
Create a test case by having a user log in with an LDAP account.
Check the user product permissions in the Manage Users page (CA PC) or User List page (NPC).
If necessary, revise the model for LDAP configuration to correct any permission problems, then repeat steps 2 through 4.
Wait 10 minutes for the next synchronization or perform a Resync on the Manage Data Sources page (CA PC) or the Data Source List page (NPC).
Verify that the user can drill in to the NFA console from a view in the Performance Center Console. For example:
- Click an interface in the Top Flows By Interface - Out view on the Infrastructure Management page.
  This action opens the CA Performance Center Interface Pages.
- Click the IP Performance tab. and click a link in the Host Name column of the Top Hosts (Pie) - Out view.
  The test user drills in to the NFA console without an Access Denied error message: The NFA console opens to the Interfaces page for the selected host.

3.8 Error Creating Custom or Analysis Reports

An error message may open when you attempt to create a Custom Report or Analysis report. This error message includes the text string "System UnauthorizedAccessException." The error occurs because insufficient permissions are assigned to the Internet Guest User Account (IUSR).

On a Windows Server 2008 R2 server, the report is created in spite of the error message. On a Windows Server 2003 server, the report is not created.

To correct the problem, complete the following steps.

Workaround:

Log in to the NFA console as a user who has administrator privileges.
Open the Component Services window:
1. Select Start, Run.
2. Enter dcomcnfg in the Run window that opens.
3. Click OK.
  The Component Services window opens.
Display the nqreporter properties:
1. Expand the following nodes in the left pane:
  - Component Services
  - Computers
  - My Computer
  - DCOM Config
2. Locate the nqreporter service under DCOM Config.
3. Right-click nqreporter and select Properties from the context menu.
  The nqreporter Properties window opens.
Display the nqreporter group and user launch permissions:
1. Click Security.
  The Security tab opens.
2. Select the Customize radio button in the Launch and Activation Permissions section.
3. Click Edit.
  The dialog opens: Launch Permissions dialog (2003) or Launch and Activation Permissions dialog (2008).
Verify that the IUSR or Internet Guest User Account exists:
1. Click Add if the following account is not shown in the "Group or user names" list.
  - Windows Server 2003: Internet Guest User Account
  - Windows Server 2008 R2: IUSR
  The Select Users or Groups dialog opens.
2. Locate and select or enter the object name
  - Windows Server 2003: <server_name>\IUSR_W2K3R2STD32SP2
    where <server_name> = Name of the NFA console installation server
  - Windows Server 2008 R2: IUSR
3. Click OK.
  The parent dialog now shows IUSR or Internet Guest User Account in the list.
Verify that launch and activation permissions are enabled:
1. Select IUSR or Internet Guest User Account in the top pane.
2. Verify that the Allow check box is selected for all of the listed permissions: Local Launch, Remote Launch, Local Activation, and Remote Activation.
Save your changes and exit:
1. Click OK in the Launch and Activation Permissions dialog.
2. Click OK in the nqreporter Properties dialog.
3. Select File, Exit in the Component Services window.
  Users who have the proper permissions now can create Custom Reports and Analysis reports without seeing an error.

3.9 Deleting a Harvester

If you delete a Harvester in CA Network Flow Analysis 9.2.1, you cannot add the same Harvester instance again successfully unless the installation server has been re-imaged and the Harvester software has been re-installed. Once you delete a Harvester, you cannot recover any of the data that the Harvester collected.

3.10 Manually Updating Polling When Changing SNMP Profiles

If you add or edit an SNMP profile to correct longstanding polling failures, it can be some time before the affected routers are polled again automatically. If polling has been disabled for some time, we recommend that you manually assign the SNMP profile to the routers and refresh polling as described in the following steps.

Follow these steps:

Make sure that the SNMP profile is set up correctly on the Manage SNMP Profiles page (CA PC) or SNMP Profiles List page (NPC).
Open the Active Interfaces page:
1. Select Administration from the NFA console menu.
  The Administration page opens.
2. Select Interfaces: Physical & Virtual from the Administration menu.
  The Active Interfaces page opens, which lists the current routers and their active interfaces.
Assign the SNMP profile to the routers:
1. Select the affected routers in the Active Interfaces list.
2. Click Edit.
  The Edit Routers dialog opens.
3. Select the appropriate profile from the SNMP Profile list.
4. Click Save.
  Your setting is saved for each one of the selected routers. The Edit Routers dialog closes.
Refresh the polling for the routers manually:
1. Select System: Enable Interfaces from the menu on the Administration page.
  The Available Interfaces page opens.
2. Click the Refresh icon (circular arrow) on the row for each router that has a newly assigned SNMP profile.
  CA Network Flow Analysis attempts to poll the router, then a message opens, which informs you about the success or failure of the polling attempt. Each Refresh icon that you clicked appears dimmed to show that the Refresh operation has been performed.

3.11 Previous Button in Harvester and Console Installation Program

The installation program for the Harvester and for the NFA Console has a nonfunctional Previous button on the Choose Install Folder page. If you click the Previous button on this page, the program does not return you to the previous page. In addition, the Previous, Next, and Cancel buttons become inactive.

If you encounter this problem, take one of the following actions:

Modify the installation directory to reactivate the Next button.
Close the installation program and restart installation.

3.12 DNS Resolution Required for Polling

CA Network Flow Analysis requires DNS name resolution. If host names do not resolve to their corresponding IP addresses, SNMP polling fails.

To determine whether an IP address resolves to a host name on a Linux server, enter the hostname -i command in a command prompt window, as shown in the following example:

[root@NFAHARV ReaperArchive15]# hostname -i

If the command fails to return the corresponding IP address, you can edit the /etc/hosts configuration file on the Harvester server manually. Add a line for the local server, which associates the host name and IP address.

Follow these steps:

Log in to the Harvester server as root or with a sudo user account.
Open the /etc/hosts file in a text editor.
Add a line that associates the IP address with the local host name, as shown in the following example:
[root@NFAHARV ReaperArchive15]# more /etc/hosts;

# Do not remove the following line, or various programs

# that require network functionality will fail.

127.0.0.1 localhost localhost.localdomain localhost

::1 localhost6.localdomain6 localhost6

10.0.0.10 NFAHARV

where:
- 10.0.0.10 = IP address of the Harvester server
- NFAHARV = Host name of the Harvester server
Save and close the /etc/hosts file.
Restart the CA Network Flow Analysis services on the Harvester server, including the following services:
- NFA CollpollWS (nfa_collpollws): CA NFA Collection and Poller Webservices
- NFA Proxies (nfa_proxies): CA NFA DNS/SNMP Proxies
- NFA Poller (nfa_poller): CA NFA Poller
Your change takes effect immediately.

Notes:

Use this workaround only if DNS resolution fails.
For additional help with this task, contact CA Support.

3.13 Problems from Exporting Flow to Multiple Harvesters

Make sure that you configure flow export to be directed to a single Harvester.

A number of problems result if you configure routers or interfaces to export flow to multiple Harvesters. If this problem occurs, contact CA Support.

You can clone the flow from Harvesters and forward it to other destinations by using the Flow Cloner feature, as described in the CA Network Flow Analysis Administrator Guide.

3.14 Volume Calculations

Volume totals differ slightly between CA Performance Center views of CA Network Flow Analysis data and corresponding CA Network Flow Analysis reports and pages. The mismatch occurs in pie charts, for example.

Note: The calculation mismatch applies to deployments that include CA Performance Center. If your deployment includes CA NetQoS Performance Center, this issue does not apply to you.

The difference is caused by different calculation methods:

CA Network Flow Analysis calculates a megabyte as 1,000 kilobytes, which is the standard definition in the context of network data (as recommended by the International System of Units (SI) and the International Electrotechnical Commission IEC).
CA Performance Center calculates a megabyte as 1,024 kilobytes, which is a typical definition in the context of capacity for server storage and memory.

3.15 Interface Names and Descriptions

Interface names and descriptions may not match between the NFA console and the CA Performance Center Console.

Note: Changes to the interface names and descriptions are limited to the product that you use to make the changes. If you change interface descriptions in one product console, the changes are not displayed in the other console, for example. To show the same interface names and descriptions in both locations, make revisions in one product to match the other product.

NFA Console

The interface name and description is formatted as defined by the interface template, which uses the following values by default:
- Interface Name: ifName or ifDescr value, whichever is found first
- Interface Description: portName or ifAlias value, whichever is found first
For information about changing the default template behavior, see the CA Network Flow Analysis topic 'Edit the Interface Template.'
To customize interface names and descriptions individually, use the Active Interfaces page. For more information about this task, see the CA Network Flow Analysis topic 'Edit Details for a Router, Interface, or CVI.'
Any changes you make are shown in a number of locations, including the Active Interfaces page, Enterprise Overview reports, drilldown Interface page reports, and the Interface Index. You use the Interface Index to select interfaces as filters in Custom reports and Analysis reports and to navigate to an interface in the Interface pages.

CA Performance Center Console

The CA Performance Center Interface Details, Inventory pages, and trend views display interface names and descriptions that use the following default values:
- Interface Name: ifName, ifDescr, or "Interface {ifIndex}" value, whichever is found first
- Interface Description: ifDescr value, unless you apply an Interface Description Override to the parent domain
To customize interface descriptions, apply an Interface Description Override when you create a domain, as described in the CA Performance Center topic 'Add an IP Domain.' To change the Interface Description Override settings for an existing domain, complete the following steps:
1. Prepare a .csv file with the interface description overrides that you want to use. Include the following columns and populate a row for each interface whose description you want to override: Device IP, Name, Description, and Interface Description Override.
2. Log in to the CA Performance Center Console as a user with administrator privileges.
3. Select Admin, IP Domains.
  The Manage IP Domains page opens.
4. Select the domain that you want to edit.
5. Click Edit.
  The IP Domains Administration dialog opens.
6. Click Browse next to the Interface Description Override field.
7. Locate and select the .csv file that contains the appropriate overrides.
8. Click Save in the IP Domains Administration dialog.
  The dialog closes.
9. Resynchronize the CA Network Flow Analysis data source:
  1. Select Admin, Data Sources from the console menu bar.
    The Manage Data Sources page opens.
  2. Select the CA Network Flow Analysis data source.
  3. Click Resync.
    The data source is resynchronized.
  Note: You can wait 5 minutes for the next synchronization to complete automatically instead of resynchronizing manually.
10. Verify that the overrides have been applied in the Interface Details page, Inventory pages, and trend views.

The interface descriptions apply to devices that have already been discovered and to devices that will be discovered in the future.

3.16 Active Interfaces Page: Traffic Status

The Traffic Status Tooltips for interfaces on the Active Interfaces page do not identify the last successful polling time.

If you position your cursor over the Traffic Status icon next to the interface name on the Active Interfaces page, a Tooltip opens. The Tooltip confirms whether the interface is active or inactive, but it does not show any additional information.

To see additional status information, display the Last Poll Tooltip for the parent router, which shows the most recently completed reboot, refresh, discovery, and status notes. You can display more information in either of the following locations:

Router Last Poll status icon on the Active Interfaces page:
Select Interfaces: Physical & Virtual from the Administration menu in the NFA console. On the Active Interfaces page that opens, locate the router and position your cursor over its Traffic Status symbol.
Router Last Poll status icon on the Available Interfaces page:
Select Enable Interfaces from the Administration page menu. Use the Available Interfaces page that opens to view additional information about the interface that interests you, including the date of its most recent flow. You can run the Test, Discover, and Refresh options on the parent router. These actions may help resolve any polling problems.

3.17 False Alarms on the System Status Page

False alarms appear on the System Status page during an initial period after you add a Harvester or DSA in the NFA console. It is expected that Harvesters and DSAs do not pass some system checks until they are fully functional. For example, you may see false alarm status messages that mention the following DSA or Harvester problems:

Zero value for the Last Load Timestamp and Watchdog polling time
Unknown usage for memory and disk
Unknown or high usage for CPU
Unknown or stopped state for services
DSA database is down

False alarms typically clear up within an hour of component startup. In some cases, however, the false alarms continue.

If you suspect that the System Status page continues to list false alarms, restart the Watchdog service on the standalone or NFA console server. The current false alarms are cleared from the System Status page and no new false alarms are posted.

3.18 DSA Status

If you have a two-tier architecture deployment of CA Network Flow Analysis 9.2.1, the System Status page always shows a green icon for Data Storage Appliances. Data Storage Appliances are not active in the two-tier architecture, but are active for three-tier architecture deployments.

4.0 Documentation Known Issues

4.1 Wildcards Not Supported for Document Searches

Wildcards are not supported for searching documents that you open from the bookshelf. If you use wildcard characters in combination with a text string, the wildcard characters are treated as plain text. In this case, a search returns only the locations that match the literal search entry.

This aspect of the Search function behavior does not match the "Search Tips" information that is included with the Bookshelf. The "Search Tips" information applies only to searches on the Bookshelf landing page.

5.0 Contact CA Technologies

Contact CA Support

For your convenience, CA Technologies provides one site where you can access the information that you need for your Home Office, Small Business, and Enterprise CA Technologies products. At http://ca.com/support, you can access the following resources:

Online and telephone contact information for technical assistance and customer services
Information about user communities and forums
Product and documentation downloads
CA Support policies and guidelines
Other helpful resources appropriate for your product

Providing Feedback About Product Documentation

If you have comments or questions about CA Technologies product documentation, you can send a message to techpubs@ca.com.

To provide feedback about CA Technologies product documentation, complete our short customer survey which is available on the CA Support website at http://ca.com/docs.