Nagios Support Forum

I'm running a NA demo (new fiscal year coming up looking to purchase a Netflow Analyzer). I have a single source (Sonicwall NSA 3500 reporting via netflow v9) and all my reports are showing "100% other". These are the default reports and I've been running the Demo for about 2 weeks now just collecting data. For one day (Yesterday) reports worked, but when I checked today all the reports were back to not working. The bandwidth graph is working. Time on the server is correct, tcpdump shows that data is making it to NA, and everything as far as permissions are stock (using the appliance). This is the second time I've fired up the Demo and I've had issues both times, first time I was too busy to put in a ticket but after the conference I decided to give it another shot. Help?

I have seen this issue, when the source was stopped. It takes some time for graphs to reappear after the source has been started. I am not sure if this is what's happening in your case...

Can you show us what do you see under the "Summary" tab?

I am also evaluating the product and having the same issue. Only seeing the bandwidth graph. One source has been running now for around a week and still no reports, queries or views.

The two sources are a cisco wireless controller and a cisco 7k both are running v9 flows.

Do you see data on the Home dashboard under the "Traffic last 30 minutes" for this particular source?

Yes there is data.

See attached file.

I ended up remaking the source. Waiting for data to start populating now. Can you give me any insight on how long I should expect to wait for reports to show up? The last two times I did this is took upwards of a week... I remade the source at 8:40am this morning.

The last two times I did this is took upwards of a week... I remade the source at 8:40am this morning.

It usually takes no more than 10-20 minutes... Do you see any "updates" (changes) in the "Traffic last 30 minutes" and "Disk Usage" fields under the main dashboard after remaking the source? What the hardware like on your Nagios NA server (hdd, cpu, ram)? Is this a physical box or a VM?

Not ideal but its running as a VM on a Dell Workstation: T1700, 4 core i7-4770 @ 3.40GHz, 8GB RAM, single 500 GB 7200 rpm disk. VM has 2 vCPU's, 2048MB of RAM, and 60GB of storage on it. We'll be moving this to the production cluster as the T1700 is needed soon so perhaps performance will improve then...but the VM doesn't seem like its having any performance issues and the utilization on NA is basically 0. I'm demoing Log Server on the same machine (obviously different VM) and its chugging along just fine.

TCP Dump on the machine "tcpdump host 192.168.0.2 and port 2055" TOP Firewall is sending flows to 0.70 on port 2055 NA is listening on 2055 but says it hasn't received any data so far today. I'll fire up a new VM on the production cluster with whatever resources you suggest to test it out there if you think its performance related.

Did some more digging, I do have data in my nfcapd files but not in the .current file.

-rw-r--r-- 1 nna nnacmd 1974 Nov 20 09:30 nfcapd.201411200925
-rw-r--r-- 1 nna nnacmd 276 Nov 20 09:35 nfcapd.current.15093
-rw-r--r-- 1 nna nnacmd 2043 Nov 20 09:35 nfcapd.201411200930

#> nfdump -r nfcapd.current.15093
Date first seen Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows
No matched flows

#> nfdump -r nfcapd.201411200930
Date first seen Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows
1969-12-31 19:00:00.000 0.000 0 xxx.xxx.xxx:7800 -> xxx.xxx.xxx:37445 1 66 1
1969-12-31 19:00:00.000 0.000 0 xxx.xxx.xxx:55999 -> xxx.xxx.xxx:1500 1 1500 1
...

I have scrubbed the Src IP and Dst IP but confirmed they are in our address space.

Some questions:

1. Why is the .current file empty?
2. Why is the "Date first seen" all the same date in 1969?
3. Why is this data not getting processed into flow data in NNA?

Click on the source in the web UI, then click on the "Edit" button, and show us a screenshot of this page. Also run the following commands from the CLI, and show us the output:
As for your questions, I will have to talk to our developers and get back to you.