cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 

purview receives netflow and mirrorN, but apps are not identified

purview receives netflow and mirrorN, but apps are not identified

htw
New Contributor III
Hi,
I installed a virtual vmware purview/analytics AAE in deployment mode 2 (Interface mirrored), with eth0 for netflow and management and eth1 for mirror packet reception:
0. Accept settings and continue
1. Hostname: interpur
2. Deployment Mode: Dual Interface Mirrored
3. Management Interface Configuration (eth0):
Address: 192.168.64.220
Netmask: 255.255.254.0
Gateway: 192.168.64.1
Nameserver: [our dns]
Domain name: [our domain]
4. NIS Server/Domain: Not Configured
5. Monitor Interface Configuration :
Tap Mode Interfaces eth1
An SSA switch sends its netflow packets towards 192.168.64.220 and has a mirror-n towards one of its switch ports which is directly connected to the AAE's host. (AAE's eth1 is mapped to a dedicated vswitch with promiscuous mode and All VLAN (4095) enabled. This vswitch uses the esxi-host's physical adpater which is directly connected to the SSA mirror port ge.1.17.)

SSA mirror and netflowconfig:
# mirror
set mirror create 2
set mirror 2 mirrorN 15
set mirror ports ge.1.17 2
# policy
set policy profile 1 name Purviewmirror pvid-status enable pvid 4095 mirror-destination 2
set policy rule admin-profile port lag.0.4 mask 16 port-string lag.0.4 admin-pid 1
set policy rule admin-profile port lag.0.5 mask 16 port-string lag.0.5 admin-pid 1
set policy rule admin-profile port ge.1.45 mask 16 port-string ge.1.45 admin-pid 1
set policy rule admin-profile port tg.1.4 mask 16 port-string tg.1.4 admin-pid 1
# netflow
set netflow export-interval 1
set netflow export-destination 192.168.64.220 2055
set netflow export-version 9
set netflow port lag.0.4-5 enable rx
set netflow port ge.1.45 enable rx
set netflow port tg.1.4 enable rx
set netflow template refresh-rate 30 timeout 1
set netflow cache enableAAE receives netflow packets on eth0:
root@interpur:~$ tcpdump -i eth0 udp port 2055
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
11:28:35.047775 IP 192.168.64.9.2055 > interpur.man.htw-berlin.de.2055: UDP, length 1420
11:28:35.052489 IP 192.168.64.9.2055 > interpur.man.htw-berlin.de.2055: UDP, length 1444
11:28:35.058061 IP 192.168.64.9.2055 > interpur.man.htw-berlin.de.2055: UDP, length 1464
...AAE receives mirror packets on eth1:
root@interpur:~$ tcpdump -i eth1 -c 2
tcpdump: WARNING: eth1: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
11:32:07.549780 20:b3:99??72:3b (oui Unknown) > 20:b3:99:55:a0:1f (oui Unknown), ethertype Unknown (0x7034), length 70:
0x0000: a001 0800 4500 0034 01b2 4000 3406 395e ....E..4..@.4.9^
0x0010: 40ca 7004 8d2d cdb8 0050 c52b 245a cadb @.p..-...P.+$Z..
0x0020: 12e4 469b 8010 003e e21e 0000 0101 080a ..F....>........
0x0030: 6b12 fa03 36f0 de74 k...6..t
11:32:07.549789 20:b3:99??72:3b (oui Unknown) > 20:b3:99:55:a0:1f (oui Unknown), ethertype Unknown (0x7034), length 64:
0x0000: a001 0800 4500 002c 104b 0000 3006 d058 ....E..,.K..0..X
0x0010: bad4 81d1 8d2d e055 0aac 0913 8d2d e055 .....-.U.....-.U
0x0020: 0000 0000 6002 11b4 5b0f 0000 0204 05ac ....'...[.......
0x0030: 0000 ..
Management Center also shows netflow and mirror packets:

237ee3b75d314f02be8712669c2ba16e_RackMultipart20161108-117644-1ufgs7t-AAE_process_inline.png



But the Identification Rate stays at 0% and Application Infos are not populated. What could be the reason? AAE was enforced and rebooted.

20 REPLIES 20

Since the packets seemed to be encapsulated according to your packet traces, this seems plausible.

Jeremy_Gibbs
Contributor
I notice I have these two lines in my config:

set netflow export-data enable mac
set netflow export-data enable vlan

Mike_Thomas
Extreme Employee
I would open a GTAC ticket, it does not appear to be an obvious problem.

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-contact-Extreme-Networks-Global-Tec...

htw
New Contributor III
A computer with windows wireshark was directly connected to SSA ge.1.17.

Mike_Thomas
Extreme Employee
Where was the trace taken?
GTM-P2G8KFN