Purview unable to identify applications

  • 0
  • 1
  • Problem
  • Updated 2 years ago
  • Solved
  • (Edited)
Purview unable to identify applications. All I can see are Netflows.

Config of SSA switch:

interface loop.0.1
  ip address 10.15.15.1 255.255.255.255 primary
  no shutdown
  exit
 interface vlan.0.1
  ip address 192.168.0.13 255.255.255.0 primary
  no ip proxy-arp
  no shutdown
  exit
 interface tun.0.1
  tunnel destination 192.168.0.12
  tunnel mode gre l2 ge.1.3
  tunnel mirror enable
  tunnel source 10.15.15.1
  no shutdown
  exit


set ip interface vlan.0.1 default

set mirror create 1
set mirror 1 mirrorN 15
set mirror ports ge.1.3 1

set netflow export-interval 1
set netflow export-destination 192.168.0.12 2055
set netflow export-version 9
set netflow port ge.1.5 enable rx
set netflow template refresh-rate 30 timeout 1
set netflow cache enable

set policy profile 1 name Application pvid-status enable pvid 4095 mirror-destination 1
set policy rule admin-profile port ge.1.5 mask 16 port-string ge.1.5 admin-pid 1
!


set port jumbo enable ge.1.1
Photo of Raul Ocampo

Raul Ocampo

  • 70 Points

Posted 3 years ago

  • 0
  • 1
Photo of Mike Thomas

Mike Thomas, Employee - GTAC - NMS

  • 7,590 Points 5k badge 2x thumb
On the Purview appliance,
1. Do a "ifconfig"
2. Do a 'tcpdump -i gre1'
3. Is the SSA meant to pass traffic of is it just a collector for Netflow and mirroring data?

You want to see the presence of 'two-way' traffic, from both source and destination. I suspect that you will want netflow and policy enabled on both the ingress and return port of what your trying to capture (rx only), unless something else is mirroring a two way conversation to ge.1.5. In that case you would likely want to do a 'both' on the netflow port, and a pvid 0 on the policy, but be very careful with that, as it will drop traffic if it is inline with the actual data flow.
(Edited)
Photo of aloeffle

aloeffle

  • 966 Points 500 badge 2x thumb
Hi all.

please not, that if you use L2 GRE Tunnel to transmit the mirrored traffic to purview and if your gre port is an "  tg.*.*  " port you need to insert an 10GE optic. It will not work with an 1GE optic.

even if the tg.*.* port is up and also the tunnel interface is up. no applications are detected and no fingerprints will match.

Save some time in troubleshooting, insert an 10GE optic and reset the tunnel interface. Then you will see some applications.