DX Unified Infrastructure Management

Hello all, i installed a ReporterAnalyzer 9.0 sp1 over Windows Server 2008 enterprise sp1, Distributed, i have several routers in the ENABLE INTERFACES section, the problem is that when i try to Enable any interface i can do this but CANT assign a LICENCE, or ReporterAnalyzer doesnt assign a licence to this interface, i check things like the flows size, available licence, harvester ok, whay do you thing that must be happening ?? what else i must check in order to fix this issue quickly. thanks in advance.


Sergio.

The first two things to check are whether or not your DSA is working and whether or not you're getting valid flows. The license isn't consumed until data gets to the DSA. If something's broken there, you won't see a license consumed. If you're getting partial flows or invalid flows, it's possible to see the router in RA under 'enable interfaces', but since there's no data, it doesn't get into the DSA and no license is consumed. Use the NFAParser to verify that you're getting in and out flows on the interfaces you expect.

hello Stuart, in fact i run a parser and i can see that i have valid flows, the size its ok, currently other subinterface enables correctly the licence and others subinterfaces of the same Interface doesnt enable.

the secuence i did its:

1.- check avaliable licences OK
2.- check Pump service and restart OK
3.- Run PArser and check flows and size OK

PARSER out

Ifindex 136 bytes in: 8.16 MB 217.65 Kbps 2463 Fpm 53.4 Pps
Ifindex 136 bytes out: 8.60 MB 229.45 Kbps 3154 Fpm 71.2 Pps


4.- i think that DSA's are working becauser other interfaces are reporting OK


what else do you thing i must check ??


Thank you very much !

Doesn't look like a lot of traffic. It might not be meeting the size criteria for storage in the DSA. Can you synthetically push more traffic over that link to ensure that some real volume gets stored? Are there GRE tunnels going over this interface?

if amount of traffic on a given interface is greater than 50KB per 15 minutes. it should be fine.
15 minute data resolution points will not be created for any values less than 50KB.

Thanks, i was too lazy to look it up. So that's not it. Have you had any luck with support? I doubt this is a similar case since the architecture changed dramatically with NFA.

You say it's sampled netflow. What's the make/model of the router and can you post the config (blank out any sensitive info of course)?

Customer said me that NO GRE Tunnel on that interface, i must tell you that this router have a 1/1000 sampled enabled, could this affect ??

i find in the TIPS section a case NFA Tech Tip: Interface enables but will not license. but this happens in a new version of NFA, do you think that this is a similar case ?????

thanks

hello, the Router model is a CISCO 12000 and we must tell that this router have several interfaces with enabled and licenced interfaces, this is too weird because the same router has enable interaces with licence and enable interfaces with out licence.

Hm. Sounds like your config is right on the router, unless there's some difference between those two interfaces. If there's no appreciable difference, i'd say there has to be something wrong with your RA. I assume it's not a XR 12000, right?

Sounds like a support call to me.

in fact, the router isnt a XR, is a CISCO 12410 IOS 12.0 (33)S7, i must tell you that this behavior its present in other routers in my RA, so, probably its a BUG. =(

i open a case to CA support but they are telling me how to enable and disable interfaces, i just send them an email ind tell them this behavior.


what i should do ??


thanks

Are you by chance using all available licenses?
Go to the "About" screen to see your license status.

What version of NetFlow are they running 5 or 9?

What is the Ingress/Egress configuration on the interfaces?

If this is not properly setup it can cause issues.

Sounds like RA is working because other interfaces on the same device got licensed and is showing data.

However if the flows from this interface are missing one of the required NetFlow fields it will not license.
If you can get a PCAP then go to "Analyze->Decode" and decode all traffic on UDP 9995 to "CFLOW" you can check the flows for if index 136 to see if they have the required fields below.

Below are the reuired NetFlow fields
1 - IN_BYTES or 85 – IN_PERMANENT_BYTES
4 - PROTOCOL
7 - L4_SRC_PORT
8 - IPV4_SRC_ADDR
10 - INPUT_SNMP
11 - L4_DST_PORT
12 - IPV4_DST_ADDR
14 - OUTPUT_SNMP

If these aren't all being received for ifindex 136 you may not see data.

Now if this all checks out sometimes we see issues if the router was at some point incorrectly configured, but then when you do get it correct it may still not work properly in RA.

In this case you can go to the Harvester Server where this router is sending its flow to and run the commands below.
Please note this is a database update so make sure you are in the correct database and you run the commands exactly as below.
Best practice is to backup the databases before ever making any changes.

mysql -P3308 harvester
truncate table routers;
truncate table interfaces;

Then recycle the "NetQos Harvester Service", and wait about 30 minutes or so, verify you are receiving at least 50 kb of data over each 15 minutes, and then check again to see if it gets Licensed.

If it still won't license, disable the interface, and enable it again and look for errors for this router/interface in the PumpLog on the RA console in \Netqos\reporter\logs.

Let us know how it goes.

-Chris

Doesn't the fact that the NFAParser interprets it mean that the decode is successful? If the netflow weren't complete, wouldn't the nfaparser give some indication? How would you get nfa files if the flows were messed up?

Stu, in most cases yes, but not always. We have seen many cases where the NFAParser will show data, but when we dig deeper into the PCAP we see issues with missing fields or other problems.

The NFAParser is a nice quick tool to start off troubleshooting, it tells us for sure if we are getting any flow and if the flow looks close to being valid, but many times for 'stubborn' routers/interfaces we need to dig into the pcap to find the root cause.

I also provided the other steps which may help resolve this as well if the PCAP does check out to be ok.

let me answer the questions

1.- we are using Netflow V9
2.- the ingress egress congifuration on each interface is:

ip route-cache flow sampled input
ip route-cache flow sampled output

3.- i send you an attached file to see the PCAP out
4.- NFA parser is showing flows

comment please



pd Im trying to run a flow forensics report and this doesnt work it looks like colapse =(


thanks in advance.

I would advise against sending the PCAP here, you are better off sending that to the support engineer working your support issue. As this is public forum and you may not want others to have that information.

However the screenshot of the PCAP looks like it is ok.

Did you try my other suggestions?

On the Harvester...
mysql -P3308 harvester

truncate table routers;
truncate table interfaces;


Then recycle the "NetQos Harvester Service", and wait about 30 minutes or so, verify you are receiving at least 50 kb of data over each 15 minutes, and then check again to see if it gets Licensed.

If it still won't license, disable the interface, and enable it again and look for errors for this router/interface in the PumpLog on the RA console in \Netqos\reporter\logs.

FYI sergio, if you upload your screenshot in jpg or png format, the message board will automatically show the image. This prevents users from having to download the document just to view the image. Downloading documents that can be uploaded in a public forum like this can be dangerous because you never know if the doc might be contaminated.

thanks Stuart, i was wondering that =)

Good Afternoon, after all, i did the procedure that Chris told me but doesn't work , the interface doesn´t got a licence, its enable now but no licence.

what do you think gentleman ?


Thank you

Did you check the PumpLog after disabling and re-enabling the interface like in my last 2 suggestions?
Any errors there for this interface?

Did you check your available license limit, by clicking on the "About" link?

Yes Chris, i dd check the log and find nothing about that interface and i have enougth Licenses, run all your instructions.

Hello Chris and Stuart, let me tell you that i was working with CA support and we deleted some Routers ( as Chris told me) that have troubles (we read this in Pump log) and after 24 hours the RA is working OK, Support realize that the problem found in the LOG truncate the PUMP service and this was unable to manage LICENCES and assign, CA SUPPORT thinks that still there's a problem with MySQL tables but today tha RA is stabilizing, we continue reporting you news, thank you.

Sergio

Sergio,

Glad to see its working, was there a specific message in the PumpLog that support found?

Regards,
Chris

yes Chris, the specific error was this:

1:01:28 4 - DataConverter - Failed to create agent for 10.255.9.133::103 :
DataConverter: Due to errors, pump will not attempt to create any more agents until 01:45 a.m.

this error was repeated several times and block the PUMP Service .



what do you think ?