ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

NFA console displays lot of traffic for the fragment protocol

book

Article ID: 37235

calendar_today

Updated On:

Products

CA Network Flow Analysis (NetQos / NFA)

Issue/Introduction

Issue/Problem/Symptoms: 

The NFA console top protocol chart displays lot of traffic for the fragment protocol . 

No 630/631 protocol found in the netflow packets when analysing a wireshark capture .

Environment:  

NFA 9.3.3 on win2012 server .

Cause: 

The netflow config is wrong on the router : some fields are missing trigerring a wrong NFA parse of the netflow packets .

Wrong V9 netflow template used :

flow record WIS_FLOW_LAN
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport tcp source-port
match transport tcp destination-port
match transport udp source-port
match transport udp destination-port
match interface input
collect counter bytes
collect counter packets
collect timestamp sys-uptime first
collect timestamp sys-uptime last

Resolution/Workaround:

modify the netflow config on the router .

You must add the line :
match interface output

replace the lines :
match transport tcp source-port
match transport tcp destination-port
match transport udp source-port
match transport udp destination-port
by
match transport source-port
match transport destination-port

then reload this config

Wait 20 minutes
recheck the NFA console

 

 

Environment

Release:
Component: NQRAHV
Powered by Wolken Software