Why do I see large spikes in 1 minute resolution data that is not as noticeable in 15 minute resolution data?
Article ID: 31763
Updated On:
Products
Issue/Introduction
You may see an issue where you see large spikes in 1 minute resolution data that is far above the maximum bandwidth on the interface. However if you look at 15 minute resolution data, you may not see as large of a spike in data.
An example of this is below. Where the max bandwidth of the interface is 1.54 Mpbs, however the data is spiking over 20 Mpbs.
Environment
NFA 9.x or above
Cause
This is a Device issue not NFA.
This happens when the Netflow data coming into NFA from the Netflow enabled device is not being sent once every minute.
NFA calculates data every minute and so requires that each flow be only 1 minute in length. If you have it set to anything higher or don't have it set at all, then when NFA receives a flow, the flow data itself could be for 2 min worth or more of traffic on the interface or more, but NFA will assume it is for the last minute only. This will cause the interface to show more data than it can handle for that minute.
This is often far more visible in 1 minute resolution data than it is in 15 minute resolution data.
Resolution
To resolve this issue make sure the setting below, or the equivalent setting on your specific device, is set.
ip flow-cache timeout active 1
For flexible Netflow the command may be like below:
cache timeout active 1
It is usually best to check with the device vendor for the exact command for your device.
Additional Information
Also see https://knowledge.broadcom.com/external/article?articleId=21623 for other common Netflow configuration errors.
Attachments
Feedback
