Purview unable to identify applications

Purview unable to identify applications. All I can see are Netflows.

Config of SSA switch:

interface loop.0.1
ip address primary
no shutdown
interface vlan.0.1
ip address primary
no ip proxy-arp
no shutdown
interface tun.0.1
tunnel destination
tunnel mode gre l2 ge.1.3
tunnel mirror enable
tunnel source
no shutdown

set ip interface vlan.0.1 default

set mirror create 1
set mirror 1 mirrorN 15
set mirror ports ge.1.3 1

set netflow export-interval 1
set netflow export-destination 2055
set netflow export-version 9
set netflow port ge.1.5 enable rx
set netflow template refresh-rate 30 timeout 1
set netflow cache enable

set policy profile 1 name Application pvid-status enable pvid 4095 mirror-destination 1
set policy rule admin-profile port ge.1.5 mask 16 port-string ge.1.5 admin-pid 1

set port jumbo enable ge.1.1

2 replies

Userlevel 6
On the Purview appliance,
1. Do a "ifconfig"
2. Do a 'tcpdump -i gre1'
3. Is the SSA meant to pass traffic of is it just a collector for Netflow and mirroring data?

You want to see the presence of 'two-way' traffic, from both source and destination. I suspect that you will want netflow and policy enabled on both the ingress and return port of what your trying to capture (rx only), unless something else is mirroring a two way conversation to ge.1.5. In that case you would likely want to do a 'both' on the netflow port, and a pvid 0 on the policy, but be very careful with that, as it will drop traffic if it is inline with the actual data flow.
Userlevel 2
Hi all.

please not, that if you use L2 GRE Tunnel to transmit the mirrored traffic to purview and if your gre port is an " tg.*.* " port you need to insert an 10GE optic. It will not work with an 1GE optic.

even if the tg.*.* port is up and also the tunnel interface is up. no applications are detected and no fingerprints will match.

Save some time in troubleshooting, insert an 10GE optic and reset the tunnel interface. Then you will see some applications.