With Flexible Netflow becoming more prominent in Cisco IOS Netflow Configurations, we are starting to see a common issue in configurations that causes a major issue with CA Network Flow Analysis.
If there are interfaces configured to use Flexible Netflow on a device, you absolutely can NOT have a Standard Netflow configuration set up as well as it will result in 2 separate Netflow flow streams being generated from the router. NFA will look at this as that the router is constantly rebooting and it will start to add thousands of bogus interfaces.
- These thousands of interfaces will cause an assortment of issues ranging from the Harvester to the Console server.
- Slow performance throughout the GUI due to hundreds of thousands of BOGUS interfaces being generated into the databases.
- Interfaces will be named "Interface ***" and will not have a valid ifIndex.
- .FLT file processing issues on the NFA Console causing a backup of .FLT files and .RPR files due to the Pump Process clogging up. (Console Server Backup: D:/CA/NFA/Netflow/datafiles & D:/CA/NFA/Netflow/datafiles/Staging and on the Harvester: D:/CA/NFA/Netflow/Datafiles/NFMinput)
- Last Flow times will not process, EOV data will stop processing, and 15 minute data will stop processing (on 3-Tier only).
- Java errors in the Harvester logs: WrapperSimpleApp Error: java.lang.OutOfMemoryError: Java heap space
- Harvester process can stop pulling in new data all together.
- Sort the Enable Interfaces page by ‘Total Int’.
- Look for Devices with the highest ‘Total Int’.
- Expand the device and then sort by ‘ifIndex’.
- Determine by looking at the total interface count for the device if it seems valid or bogus.
- You can also determine by looking at the interfaces on a device and seeing if the highest of the ifIndex numbers seem valid or bogus.
- Ultimately we are looking for high interface count devices with interfaces that are named ‘Interface ***’ which is confirmed not valid.
- If you find a device with bogus interfaces it is important to note that those bogus interfaces may have been created during a transition period of when the networking team switched from Standard Netflow to Flexible Netflow and that there may not be an issue anymore.
- If the number of interfaces is in the 10’s to 100 thousands it is safe to assume there is still an issue and it worth investigating on the router.
- Fix the Netflow Configuration of the router to use only Standard or Flexible Netflow only.
- Delete the device from Enable Interfaces (this will result in loss of historical data).
- If the data is very valuable please contact CA Support.
- Once the Device has been deleted it should come back in without any bogus interfaces as long as the Netflow configuration has been fixed.