ISSUE:
I ran the Flow Forensic Report It looks like it never finishes up it just says “Executing”
But when I go and apply a filter, for example run it for two routers that they are coming from the one harvester, report gets done in 2 minutes and data is there.
Everything looks like there is so much data and it takes forever to finish report.
SOLUTION:
This appears to be a scale issue. Running flow forensics reports across more than few interfaces\devices simultaneously is not recommended. The volume of information is most likely overloading the system.
We may be able to reduce the information that it needs to parse through or find a better process to meet the customer’s goals.
There are some ways he can lighten the load of these reports on the harvester:
1.
Create groups and run multiple reports.
2.
Run the reports on choke points. If there are five lan and one wan interface on the router being monitored, all conversations between the lan and the wan would be captured on the one interface. If one router is connected to another and both are being monitored, only one of those interfaces needs to be included to report all conversations.
3.
Look at the router config. The method most often used (all ingress and all egress) is also the most inefficient. Interface Flow methods in order of most to least efficient are:
a.
Ingress and egress on a single interface (if only one is needed on a given router)
b.
Ingress and egress on 2-3 interfaces (if only a couple are needed on a given router with many interfaces)
c.
Egress on all interfaces
d.
Ingress on all interfaces
e.
Ingress and egress on all interfaces