DX Unified Infrastructure Management

  • Private Community

  • 1.  Netflow rate doubling when viewed from NFA?

    Posted Oct 24, 2018 08:53 AM

    Noticed couple days ago while looking at a performance issue that it seems our Netflow bandwidth is showing double the interface rate of the WAN bandwidth.  Checked multiple sites now.  We upgraded to 9.3.8 couple months back.  I just applied the cumulative patch.  Still checking other sites for the behavior.  It's noticeable when the bandwidth is higher.  We are using  cache timeout active 60 (seconds) on our Netflow configuration.  Our netflow configuration hasn't changed.  This was not noticed when we were previously on 9.3.3.  Is there a place I can look on NFA console or collector machines or in Wireshark to confirm this behavior? 



  • 2.  Re: Netflow rate doubling when viewed from NFA?

    Broadcom Employee
    Posted Oct 24, 2018 09:21 AM

    Is WCCP configured on the interface?



  • 3.  Re: Netflow rate doubling when viewed from NFA?

    Posted Oct 24, 2018 09:50 AM

    We used to have WCCP on the interface but did not notice any issues back then.  Several months ago we had to remove WCCP due to an issue globally.  I'm looking at 1-minute resolution traffic on a 200Mbps MPLS link with a shaper.  In CA PC with 5 minute polling I see no breaches of 200Mbps capacity but when looking at NFA the interface utilization graphs shows above 200Mbps mark frequently.  When zooming out to 15-minute resolution it will show way above 200Mbps bandwidth.  It's strange and I have not noticed this before but fairly confident this behavior was not on 9.3.3.  Not sure what is causing this behavior at the moment.



  • 4.  Re: Netflow rate doubling when viewed from NFA?

    Posted Oct 24, 2018 10:00 AM

    More specifically it looks double when you zoom out for 15-minute interval.  It is definitely over the WAN interface limit when looking at 1-minute interval whether it is close to double I'll have to look more.  It should not be over the WAN interface limit I would think.  5 minute utilization polling in CAPC show way below on inbound what NFA showing but I understand it is not completely comparable as polling resolution is different.



  • 5.  Re: Netflow rate doubling when viewed from NFA?

    Broadcom Employee
    Posted Oct 24, 2018 10:52 AM

    If you have a case open and upload a pcap from the device, one of us can play it back against 9.3.3 and 9.3.8 or 9.5 and see if the results look similar. 



  • 6.  Re: Netflow rate doubling when viewed from NFA?

    Posted Oct 24, 2018 10:59 AM

    Case# 01221671 is opened.  I'll attach a wireshark. 



  • 7.  Re: Netflow rate doubling when viewed from NFA?

    Posted Oct 24, 2018 12:34 PM

    Attached wireshark to case along with screenshots of view I see in my 9.3.8 corresponding to time range of the capture.



  • 8.  Re: Netflow rate doubling when viewed from NFA?

    Posted Oct 25, 2018 11:36 AM

    I know you have an active support case open but please post your findings here when the case is resolved.  I think we're getting similar values in NFA 9.3.8.



  • 9.  Re: Netflow rate doubling when viewed from NFA?

    Posted Oct 31, 2018 01:12 PM

    Right now I notice it on ISR4431 routers with 200Mbps WAN interfaces.  NFA shows inbound over 200Mbps daily which is what stands out as a problem.