EWC is not sending packets to the mirror L2 port


Userlevel 5
I initially had some trouble getting my EWC to talk to my Purview box. That has been resolved, and now my Purview box is receiving flow statistics. However, it's not receiving the actual flow data.

On my controller, I am using esa0 as lag1 which (at present) contains all of my WLAN's. esa1 is defined as a mirror. I have esa1 connected directly to a NIC on my VMWare server, which is then attached via VMWare to my Purview host. Initially I thought this might be related to Purview or the VMWare server.

However - if I ssh' into my controller and run a 'shell', then do a 'tcpdump -i eth1', I am seeing nothing flowing through that NIC.

I have gone over and over my settings on the controller, and just about everywhere I can look I have mirroring "allowed in both directions" and Netflow set to enabled.

Anyone how an idea on where I can look?

Thanks!!

15 replies

Userlevel 5
Couple things to check... Make sure you have both interfaces configured on the Purview box.. do a "ifconfig" and make sure you have the loopback, eth0 and eth1 listed. (sometimes you might need to the command as "ifconfig | more" to see everything), could be you selected a single interface when you installed it? Check that and let me know...
Userlevel 5
I just ran across this article too... How many cores does the EWC have configured, if 2 or less it looks like things wont work... https://gtacknowledge.extremenetworks.com/articles/Solution/Netflow-is-not-being-sent-to-the-PurView...
Userlevel 5
Bill Stritzinger wrote:

I just ran across this article too... How many cores does the EWC have configured, if 2 or less it looks like things wont work... https://gtacknowledge.extremenetworks.com/articles/Solution/Netflow-is-not-being-sent-to-the-PurView...

Hi Bill, thanks for helping out.

Looks like my Interfaces are okay on the Purview VM ...
root@purview:~$ ifconfig | more eth0 Link encap:Ethernet HWaddr 00:0c:29:41:eb:bf inet addr:10.60.60.152 Bcast:10.60.60.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff:fe41:ebbf/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1220111 errors:0 dropped:30 overruns:0 frame:0 TX packets:302413 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:160181516 (160.1 MB) TX bytes:73892480 (73.8 MB) eth1 Link encap:Ethernet HWaddr 00:0c:29:41:eb:c9 inet6 addr: fe80::20c:29ff:fe41:ebc9/64 Scope:Link UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 RX packets:2 errors:0 dropped:0 overruns:0 frame:0 TX packets:12 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:120 (120.0 😎 TX bytes:936 (936.0 😎 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:2742 errors:0 dropped:0 overruns:0 frame:0 TX packets:2742 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:513448 (513.4 KB) TX bytes:513448 (513.4 KB)
[/code][/code]But even if there were problems there, wouldn't I at least see packets begin sent when running a tcpdump on the controller side?

I should be good with number of cores. I have a C5210, and it looks like all CPU cores and threads are reporting in ...

root@EWC.kch.local:~# less /proc/cpuinfo | grep processor processor : 0 processor : 1 processor : 2 processor : 3 processor : 4 processor : 5 processor : 6 processor : 7 processor : 8 processor : 9 processor : 10 processor : 11 processor : 12 processor : 13 processor : 14 processor : 15 processor : 16 processor : 17 processor : 18 processor : 19 processor : 20 processor : 21 processor : 22 processor : 23
[/code]
[/code]
Userlevel 5
Bill Stritzinger wrote:

I just ran across this article too... How many cores does the EWC have configured, if 2 or less it looks like things wont work... https://gtacknowledge.extremenetworks.com/articles/Solution/Netflow-is-not-being-sent-to-the-PurView...

OK.. C5210 you should be good to go on cores. Next, do you have a laptop that you could drop wireshark on? I would then take es1 and drop in the laptop with wireshark to see if you see anything on the wire first. If you do then you you need to focus on the ESXi interfaces. Let me know and we can go from there...
Userlevel 5
Bill Stritzinger wrote:

I just ran across this article too... How many cores does the EWC have configured, if 2 or less it looks like things wont work... https://gtacknowledge.extremenetworks.com/articles/Solution/Netflow-is-not-being-sent-to-the-PurView...

I will give that a shot when I am in the office tomorrow.

Also, do I need to have "Management Traffic" checked on the VNS that I am trying to collect Purview data on?
Userlevel 5
Bill Stritzinger wrote:

I just ran across this article too... How many cores does the EWC have configured, if 2 or less it looks like things wont work... https://gtacknowledge.extremenetworks.com/articles/Solution/Netflow-is-not-being-sent-to-the-PurView...

Should not matter if you are receiving the Netflow information. Now we just have to figure out the mirror situation. Main thing is to see if there is any info coming in. Just quick.. you have premiscuous mode enabled on all of the virtual interfaces correct?
Userlevel 5
Bill Stritzinger wrote:

I just ran across this article too... How many cores does the EWC have configured, if 2 or less it looks like things wont work... https://gtacknowledge.extremenetworks.com/articles/Solution/Netflow-is-not-being-sent-to-the-PurView...

Hello Bill, yes, I have promisc' set on the VMWare NIC. And my mirror NIC is showing the promisc' flag on the controller in the ifconfig output.

Still seems like doing a tcpdump -i eth1 on the controller should show me something. With it not showing a single packet, that tells me that my mirror is somehow flawed.
Userlevel 5
Bill Stritzinger wrote:

I just ran across this article too... How many cores does the EWC have configured, if 2 or less it looks like things wont work... https://gtacknowledge.extremenetworks.com/articles/Solution/Netflow-is-not-being-sent-to-the-PurView...

Well, I ran a Wireshark capture on that port. Got the same thing ... nothing! 😞
Userlevel 5
Bill Stritzinger wrote:

I just ran across this article too... How many cores does the EWC have configured, if 2 or less it looks like things wont work... https://gtacknowledge.extremenetworks.com/articles/Solution/Netflow-is-not-being-sent-to-the-PurView...

Well at least that is good... Now we just have to troubleshoot the C5200 - Have you already started a case on this with TAC?
Userlevel 5
Bill Stritzinger wrote:

I just ran across this article too... How many cores does the EWC have configured, if 2 or less it looks like things wont work... https://gtacknowledge.extremenetworks.com/articles/Solution/Netflow-is-not-being-sent-to-the-PurView...

I hate to ask, but we have the correct port for esa1, correct?

Userlevel 5
Bill Stritzinger wrote:

I just ran across this article too... How many cores does the EWC have configured, if 2 or less it looks like things wont work... https://gtacknowledge.extremenetworks.com/articles/Solution/Netflow-is-not-being-sent-to-the-PurView...

Yes, my mirror is connected to port "E", esa1 which does show a connection ...

root@EWC.kch.local:~# ethtool eth1Settings for eth1:
Supported ports: [ TP ]
Supported link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Supports auto-negotiation: Yes
Advertised link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Advertised auto-negotiation: Yes
Speed: 1000Mb/s
Duplex: Full
Port: Twisted Pair
PHYAD: 1
Transceiver: internal
Auto-negotiation: on
Supports Wake-on: pumbg
Wake-on: d
Current message level: 0x00000007 (7)
Link detected: yes

[/code]
I am going to work on getting a TAC case opened.
Userlevel 5
I opened a TAC case on this today, #01194547. I will let you all know the outcome.
Userlevel 5
This was a tough one to get fixed, but with the help of multiple support folks at Extreme, we located and resolved multiple problems. Namely ...

#1 - The management IP on my Wireless Controller was on the same network as my Purview's management interface (eth0). Because I was able to manage my controller from another interface, on a separate network, we opted to move the management interface to an unused subnet and then pulled the plug on that port. We also rebooted, to clear the routes.

#2 - I was looking at the wrong physical NIC on my VMWare server. I had a built-on 4 ports, and 4 more ports on an added NIC. One was numbered right to left, and the other left to right. Nice and confusing. Once I had the right physical port mapped to the VM as my eth1, we were good to go.

Resolved!!
Userlevel 7
Steve Ballantyne wrote:

This was a tough one to get fixed, but with the help of multiple support folks at Extreme, we located and resolved multiple problems. Namely ...

#1 - The management IP on my Wireless Controller was on the same network as my Purview's management interface (eth0). Because I was able to manage my controller from another interface, on a separate network, we opted to move the management interface to an unused subnet and then pulled the plug on that port. We also rebooted, to clear the routes.

#2 - I was looking at the wrong physical NIC on my VMWare server. I had a built-on 4 ports, and 4 more ports on an added NIC. One was numbered right to left, and the other left to right. Nice and confusing. Once I had the right physical port mapped to the VM as my eth1, we were good to go.

Resolved!!

Sounds like a nice fun mess 🙂 Glad you got it sorted out and are up and running.

Thanks for coming back to update the thread!
Userlevel 5
Great to hear... Thank you for letting us know!

Reply