VMware Aria Operations for Networks (formerly vRNI) is used to monitor and analyze network flows in their environment. An intermittent issue is observed where some flows report inaccurately high byte counts, far exceeding actual data transmission.
For instance, for the same timestamp between 12:30 and 12:35, vRNI reported 4.5TB transmitted from VM-A to VM-B but the actual packet capture from VM-A to VM-B reported 470 MB with Wireshark which is much lower than reported in vRNI/AON.
Additionally, we can see the below warning in the nsx-syslog file in the ESXi logs where the VM impacted is running:
nsx-syslog.0:xxxx-xx-xxTxx:xx:xx.xxxZ nsx-exporter[xxxxxxxx]: NSX xxxxxxx - [nsx@6876 comp="nsx-esx" subcomp="agg-service" tid="xxxxxxxx" level="WARNING"] Actual num records (126991) exceeded max (100000). Retrieving only Inactive(590)/Drop(0) records.
vRealize Network Insight 6.x
Aria Operation for Networks 6.x
NSX-T 3.x
NSX 4.x
In NSX, the total flow records exceeded the 100K limit for one single VM, which is the maximum allowed by the exporter logic, resulting in-proper IPFIX flow record being reported from NSX to vRNI.
Workaround 1: Reduce the number of flows below 100k active/sessions for the VM impacted.
Workaround 2: Put that VM with 100k active/sessions in DFW exclusion list.