Changing from MirrorN to IPFIX in ExtremeWireless


I have an existing integration of EWC and Purview, however I went to use it today and it seems to have stopped working after I upgraded the analytics appliances to 8.0.2.42 a month ago. Some quick debugging hinted that while Netflix and mirrorN traffic was coming through, the appid process wasn't listening on the correct ports for some reason.

I figured it was then a good time to try and migrate to the new IPFIX-based method that doesn't need an L2 port any more. I followed https://gtacknowledge.extremenetworks.com/articles/How_To/Configuring-a-Identifi-Wireless-Controller... and set the Traffic Mirror L2 Port to None, and set traffic mirror to prohibited in all the VNS/Role configuration, but it's still not working. Anyone know what other configuration I need to set to make it use IPFIX?

17 replies

Userlevel 5
Did you enable app visibility on WLAN? Usually it's all you need , plus the management IP of Purview appliance on global netflow setting, which I believe you already have configured
Ostrovsky, Yury wrote:

Did you enable app visibility on WLAN? Usually it's all you need , plus the management IP of Purview appliance on global netflow setting, which I believe you already have configured

Yeah, I already have Application Visibility enabled. I did try adding the flow source from EMC, but that still expects a mirror port to be set. Removing the EWCs as flow sources and then re-adding the Purview management IP in the Netflow configuration made them re-appear, but still no data. AFAICT the java process isn't listening on the right ports:
$ lsof -ni|grep java
java 1188 root 182u IPv6 588 0t0 TCP *:45627 (LISTEN)
java 1188 root 256u IPv6 12469 0t0 TCP 10.20.20.74:http-alt (LISTEN)
java 1188 root 257u IPv6 12472 0t0 TCP 10.20.20.74:8443 (LISTEN)[/code]I would have expected ports 9191 (for IPFIX) and 2095 (for EWC Netflow) to be open at least. tcpdump shows data coming in from the EWC on UDP port 2095 but a ICMP port unreachable message being sent in reply.
[/code]
Userlevel 2
Hi James,

Does the engine need to be enforced from the EMC server? We would expect these ports to be up and listening and may not appear until an enforce happens.

udp6 0 0 :::2055 :::*
udp6 0 0 :::2075 :::*
udp6 0 0 :::2095 :::*
udp6 0 0 :::161 :::*

Thanks
Jeff
Dudley, Jeff wrote:

Hi James,

Does the engine need to be enforced from the EMC server? We would expect these ports to be up and listening and may not appear until an enforce happens.

udp6 0 0 :::2055 :::*
udp6 0 0 :::2075 :::*
udp6 0 0 :::2095 :::*
udp6 0 0 :::161 :::*

Thanks
Jeff

Yeah, I did an enforce before, and just ran "Enforce all engines" now. The overview does say "Connectivity Issues: cannot establish client connection" on both engines, I don't really know what that means though.
Userlevel 2
Can you still connect to the EMC server with another java client? ie. Console
Dudley, Jeff wrote:

Can you still connect to the EMC server with another java client? ie. Console

I can connect to the EMC web interface fine, but in Analytics/Configuration/Overview it looks like this:


I can't connect to the EMC with the fat clients as I have a third-party certificate installed, I'm waiting for 8.0.3 to come out to fix that bug.
Userlevel 2
If a restart of the netsight server service does not provide relief check out this article.

https://gtacknowledge.extremenetworks.com/articles/Solution/Java-client-does-not-launch-application-...
Dudley, Jeff wrote:

If a restart of the netsight server service does not provide relief check out this article.

https://gtacknowledge.extremenetworks.com/articles/Solution/Java-client-does-not-launch-application-...

Yeah, I've already been through that with GTAC, hence waiting for 8.0.3. Going back to the Purview appliances, I rebooted them as well earlier, no change.
Userlevel 2
Correct. I wouldn't expect a reboot of Purview would help. Purview, like Console is considered a client machine and neither can connect because of an issue with the EMC server.
Dudley, Jeff wrote:

Correct. I wouldn't expect a reboot of Purview would help. Purview, like Console is considered a client machine and neither can connect because of an issue with the EMC server.

Ahh, when you put it like that, now I understand. Any idea when 8.0.3 will be out? I didn't switch to the built-in certificate as I didn't want to confuse our helpdesk but I may just have to as I need Purview working now.
Userlevel 2
Dudley, Jeff wrote:

Correct. I wouldn't expect a reboot of Purview would help. Purview, like Console is considered a client machine and neither can connect because of an issue with the EMC server.

Cool. I believe 803 is due out at the end of this month.
Dudley, Jeff wrote:

Correct. I wouldn't expect a reboot of Purview would help. Purview, like Console is considered a client machine and neither can connect because of an issue with the EMC server.

So I've upgraded EMC and EA to 8.0.3 but appidmgmtserver.log is still saying the certificate is untrusted ... is there a way to trust it?
Userlevel 1
Dudley, Jeff wrote:

Correct. I wouldn't expect a reboot of Purview would help. Purview, like Console is considered a client machine and neither can connect because of an issue with the EMC server.

Hi James. I'm in the same boat as well, using a cert on EMC from our internal CA. I upgraded EMC and EA to 8.0.3, and am also getting the error.

I tried changing the "Legacy Client Trust Mode" in EMC, to trust all server certificates, but it still cannot contact. When tailing the appidmgmtserver.log on EA, I do see "Cannot yet log in on management server".

This is where I am now. I have a ticket open with GTAC too. Let me know if you have found a fix, and I'll do the same.
Dudley, Jeff wrote:

Correct. I wouldn't expect a reboot of Purview would help. Purview, like Console is considered a client machine and neither can connect because of an issue with the EMC server.

I haven't done any further troubleshooing yet. I did get a note on the legacy client case that Java 8u141 has a problem that's fixed in Java 8u144, but the EA VM is running Java 8u131 so that's not it.
Userlevel 1
Dudley, Jeff wrote:

Correct. I wouldn't expect a reboot of Purview would help. Purview, like Console is considered a client machine and neither can connect because of an issue with the EMC server.

Hi James,

I have updated my appliances, EMC and Analytics, and I can confirm that the latest update, 8.0.3.53, I am no longer seeing this issue.
Dudley, Jeff wrote:

Correct. I wouldn't expect a reboot of Purview would help. Purview, like Console is considered a client machine and neither can connect because of an issue with the EMC server.

Yep, going from EMC 8.0.3.46 to 8.0.3.53 fixed the issue here too. I actuall upgraded the Analytics engine first, but that wasn't enough.

I also found https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-an-Indentifi-Wireless-Con... which notes I was wrong to disable the traffic mirror and Netflow, all I needed to do was disable the traffic mirror L2 port.
Userlevel 5
I had some similar issues when I upgraded to 8.0.2.42. It took a couple hours with support to figure it out. It turns out that it was a certificate error. I had generated my own certificate from a CA in my environment and NMS was having none of it. By deleting the certificate and going back to the self-signed certificate, Purview was then able to connect.

I also had errors bringing up and of the legacy Java stuff. But I was getting different errors after fixing the cert. And I fixed the Java problem by updating the version of Java installed on my machine.

Reply