Changing from MirrorN to IPFIX in ExtremeWireless

  • 0
  • 2
  • Problem
  • Updated 9 months ago
  • Solved
I have an existing integration of EWC and Purview, however I went to use it today and it seems to have stopped working after I upgraded the analytics appliances to 8.0.2.42 a month ago. Some quick debugging hinted that while Netflix and mirrorN traffic was coming through, the appid process wasn't listening on the correct ports for some reason.

I figured it was then a good time to try and migrate to the new IPFIX-based method that doesn't need an L2 port any more. I followed https://gtacknowledge.extremenetworks.com/articles/How_To/Configuring-a-Identifi-Wireless-Controller... and set the Traffic Mirror L2 Port to None, and set traffic mirror to prohibited in all the VNS/Role configuration, but it's still not working. Anyone know what other configuration I need to set to make it use IPFIX?
Photo of James A

James A, Embassador

  • 6,510 Points 5k badge 2x thumb

Posted 11 months ago

  • 0
  • 2
Photo of Ostrovsky, Yury

Ostrovsky, Yury, Employee

  • 3,050 Points 3k badge 2x thumb
Did you enable app visibility on WLAN? Usually it's all you need , plus the management IP of Purview appliance on global netflow setting, which I believe you already have configured
Photo of James A

James A, Embassador

  • 6,510 Points 5k badge 2x thumb
Yeah, I already have Application Visibility enabled. I did try adding the flow source from EMC, but that still expects a mirror port to be set. Removing the EWCs as flow sources and then re-adding the Purview management IP in the Netflow configuration made them re-appear, but still no data. AFAICT the java process isn't listening on the right ports:
$ lsof -ni|grep java
java      1188   root  182u  IPv6    588      0t0  TCP *:45627 (LISTEN)
java      1188   root  256u  IPv6  12469      0t0  TCP 10.20.20.74:http-alt (LISTEN)
java      1188   root  257u  IPv6  12472      0t0  TCP 10.20.20.74:8443 (LISTEN)
I would have expected ports 9191 (for IPFIX) and 2095 (for EWC Netflow) to be open at least. tcpdump shows data coming in from the EWC on UDP port 2095 but a ICMP port unreachable message being sent in reply.
Photo of Dudley, Jeff

Dudley, Jeff, Employee

  • 914 Points 500 badge 2x thumb
Hi James,

Does the engine need to be enforced from the EMC server?  We would expect these ports to be up and listening and may not appear until an enforce happens.

udp6       0      0 :::2055                 :::*
udp6       0      0 :::2075                 :::*
udp6       0      0 :::2095                 :::*
udp6       0      0 :::161                  :::*


Thanks
Jeff
Photo of James A

James A, Embassador

  • 6,510 Points 5k badge 2x thumb
Yeah, I did an enforce before, and just ran "Enforce all engines" now. The overview does say "Connectivity Issues: cannot establish client connection" on both engines, I don't really know what that means though.
Photo of Dudley, Jeff

Dudley, Jeff, Employee

  • 914 Points 500 badge 2x thumb
Can you still connect to the EMC server with another java client?  ie. Console
Photo of James A

James A, Embassador

  • 6,510 Points 5k badge 2x thumb
I can connect to the EMC web interface fine, but in Analytics/Configuration/Overview it looks like this:

I can't connect to the EMC with the fat clients as I have a third-party certificate installed, I'm waiting for 8.0.3 to come out to fix that bug.
Photo of Dudley, Jeff

Dudley, Jeff, Employee

  • 914 Points 500 badge 2x thumb
If a restart of the netsight server service does not provide relief check out this article.


https://gtacknowledge.extremenetworks.com/articles/Solution/Java-client-does-not-launch-application-...
Photo of James A

James A, Embassador

  • 6,510 Points 5k badge 2x thumb
Yeah, I've already been through that with GTAC, hence waiting for 8.0.3. Going back to the Purview appliances, I rebooted them as well earlier, no change.
Photo of Dudley, Jeff

Dudley, Jeff, Employee

  • 914 Points 500 badge 2x thumb
Correct.  I wouldn't expect a reboot of Purview would help.    Purview, like Console is considered a client machine and neither can connect because of an issue with the EMC server.
Photo of James A

James A, Embassador

  • 6,510 Points 5k badge 2x thumb
So I've upgraded EMC and EA to 8.0.3 but appidmgmtserver.log is still saying the certificate is untrusted ... is there a way to trust it?
Photo of Peter Chang

Peter Chang

  • 394 Points 250 badge 2x thumb
Hi James. I'm in the same boat as well, using a cert on EMC from our internal CA. I upgraded EMC and EA to 8.0.3, and am also getting the error.

I tried changing the "Legacy Client Trust Mode" in EMC, to trust all server certificates, but it still cannot contact. When tailing the appidmgmtserver.log on EA, I do see "Cannot yet log in on management server". 

This is where I am now. I have a ticket open with GTAC too. Let me know if you have found a fix, and I'll do the same.
Photo of James A

James A, Embassador

  • 6,510 Points 5k badge 2x thumb
I haven't done any further troubleshooing yet. I did get a note on the legacy client case that Java 8u141 has a problem that's fixed in Java 8u144, but the EA VM is running Java 8u131 so that's not it.
Photo of Peter Chang

Peter Chang

  • 394 Points 250 badge 2x thumb
Hi James,

I have updated my appliances, EMC and Analytics, and I can confirm that the latest update, 8.0.3.53, I am no longer seeing this issue. 
Photo of James A

James A, Embassador

  • 6,510 Points 5k badge 2x thumb
Yep, going from EMC 8.0.3.46 to 8.0.3.53 fixed the issue here too. I actuall upgraded the Analytics engine first, but that wasn't enough.

I also found https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-an-Indentifi-Wireless-Con... which notes I was wrong to disable the traffic mirror and Netflow, all I needed to do was disable the traffic mirror L2 port.
Photo of Steve Ballantyne

Steve Ballantyne

  • 5,566 Points 5k badge 2x thumb
I had some similar issues when I upgraded to 8.0.2.42. It took a couple hours with support to figure it out. It turns out that it was a certificate error. I had generated my own certificate from a CA in my environment and NMS was having none of it. By deleting the certificate and going back to the self-signed certificate, Purview was then able to connect.

I also had errors bringing up and of the legacy Java stuff. But I was getting different errors after fixing the cert. And I fixed the Java problem by updating the version of Java installed on my machine.