How does NFA detect a Router Reboot?
Article ID: 138838
Updated On:
Products
Issue/Introduction
When NFA detects a router reboot, it will temporarily stop flow collection for a device until it can be successfully SNMP polled, this may result in a data gap during that time. This KB explains how NFA determines a router reboot.
Environment
Release : 10.0
Component : NQRPTA - REPORTERANALYZER
Resolution
NFA handles this differently for Netflow v5/9 and IPFIX.
Netflow version 5 and 9:
NFA looks at the sysuptime field in the Netflow data received from the device.
When NFA sees a sysuptime less than the last sysuptime seen in a flow, it will treat the router as it rebooted and will drop all flows until a successful SNMP poll of the device to ensure the ifindex to interfaces names still match up.
IPFIX:
NFA looks at the FlowSequence in each flow plus the number of flows seen in that frame to get the expected next FlowSequence.
For example in the flow below, the current FlowSequence is 28556844, and there are 16 flows in this frame as you can see below, so the next expected FlowSequence should be 28556844 plus the 16 flows should be 28556860.
NFA allows a variance of 1000, so if the next FlowSequence is within 1000 of the expected next FlowSequence, it will not treat the router as if it rebooted.
If it the next flow sequence is off by more than a 1000 it will place the router in a RebootRefresh state and will drop flows until a successful SNMP poll of the device.
Feedback
