APM/TIM 10.1 version
I am trying to record some transactions using CEM. I can see some transactions are captured when we hit URL but some are not.
I wonder why some are captured and some are not. There are no filters set to restrict IP's, protocols or ports.
Is it due to where MTP is deployed on our network?
One of the old Tuesday tips states below,
The MTP is collecting data but not seeing traffic from a particular server.
The MTP appliance can do filtering at two locations:
The MTP hardware filter (Administration>Logical port) is filtering out traffic from particular ports, VLANs, or IP subnets.
The TESS Web Server filter does not include certain IP addresses so it is excluding traffic. With MTP appliances, it is recommended to do the filtering on the MTP side with the hardware filtesr rather than on the TIM side with the web server filters.
But there are no Webservers filters set on TIM side and I hope there are no hardware filters too(have to double check)
But under what scenarios MTP is not seeing traffic from a particular server when there are no filters set?
I take it the issue is not seeing it all of teh time versus not seeing at all.
Counting/Recording inconsistency issues can be difficult and time consuming to resolve. I attached two draft documents that may help. If you are seeing transactions sometimes when recording and other times not, then I would check:
- SSL decode failure rates/cipher suites
- Traffic quality such as out of order packets, empty packets, going through a different set of servers, not seeing the round trip etc See if any patterns show up
I would have my switch connection do the filtering followed by MTP and then TIM.
Once you add a Web Server filter, then have to explicitly add them all.
If you see the transaction (HTTP Request and Response in the TIM log), it should be able to record
This likely will be a case. But I hope this is a good start.
Please let me know if my answer was helpful, if you need further assistance, or this thread can be marked as closed
I will check those steps, but if a specific server IP is not captured by MTP itself, do any one of the above cause still apply?
I ran below command as well but there was no traffic for some specific server IP's. We also checked for this server IP in MTP analysis page but no luck
tcpdump -i eth1 'tcp port 443'|grep ip_address
Does this mean MTP did not capture traffic for this server IP? If its the case, what should we do?
So if you never see a server IP address in tcpdump/buildcap/tim logs then that means
- Switch is not configured to capture IP address (filtered out/not included)
- Something between switch and TIM is filtering out that IP
- IP address is changing to another IP and you have to add the redirected IP to webserver filters
- Need to add reverse proxy/loadbalancer/firewall IPs addresses to web server filters
- SSL private key needs to be added to TIM
- Traffic is one-way or redirected
- Other factors such as protocols used by router or application are in play
Your network team can help determine the root cause and needed changes to send the server IPs to the TIM
Thanks, This is what I need. I will do further more analysis and come back.
Thanks Karthik. I will mark as answered. Depending on what you find, a case may be needed. But most of teh above are infrastructure issues not APM.