cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 

Purview unable to identify applications

Purview unable to identify applications

Raul_Ocampo
New Contributor
Purview unable to identify applications. All I can see are Netflows.

Config of SSA switch:

interface loop.0.1
ip address 10.15.15.1 255.255.255.255 primary
no shutdown
exit
interface vlan.0.1
ip address 192.168.0.13 255.255.255.0 primary
no ip proxy-arp
no shutdown
exit
interface tun.0.1
tunnel destination 192.168.0.12
tunnel mode gre l2 ge.1.3
tunnel mirror enable
tunnel source 10.15.15.1
no shutdown
exit

set ip interface vlan.0.1 default

set mirror create 1
set mirror 1 mirrorN 15
set mirror ports ge.1.3 1

set netflow export-interval 1
set netflow export-destination 192.168.0.12 2055
set netflow export-version 9
set netflow port ge.1.5 enable rx
set netflow template refresh-rate 30 timeout 1
set netflow cache enable

set policy profile 1 name Application pvid-status enable pvid 4095 mirror-destination 1
set policy rule admin-profile port ge.1.5 mask 16 port-string ge.1.5 admin-pid 1
!

set port jumbo enable ge.1.1
2 REPLIES 2

aloeffle
Contributor
Hi all.

please not, that if you use L2 GRE Tunnel to transmit the mirrored traffic to purview and if your gre port is an " tg.*.* " port you need to insert an 10GE optic. It will not work with an 1GE optic.

even if the tg.*.* port is up and also the tunnel interface is up. no applications are detected and no fingerprints will match.

Save some time in troubleshooting, insert an 10GE optic and reset the tunnel interface. Then you will see some applications.

Mike_Thomas
Extreme Employee
On the Purview appliance,
1. Do a "ifconfig"
2. Do a 'tcpdump -i gre1'
3. Is the SSA meant to pass traffic of is it just a collector for Netflow and mirroring data?

You want to see the presence of 'two-way' traffic, from both source and destination. I suspect that you will want netflow and policy enabled on both the ingress and return port of what your trying to capture (rx only), unless something else is mirroring a two way conversation to ge.1.5. In that case you would likely want to do a 'both' on the netflow port, and a pvid 0 on the policy, but be very careful with that, as it will drop traffic if it is inline with the actual data flow.
GTM-P2G8KFN