Instance 0 issue

Scrutinizer is an enterprise/business class NetFlow and sFlow analysis tool. Scrutinizer provides historical trends of the company's critical network interfaces as well as the details on:

Who: The end system causing the traffic
What: The application/protocol that is being used
When: The time frame it has been occurring for
Where: The network connection that is affected

Moderators: scottr, Moderator Team

Post Reply
nomaxpi
Posts: 1
Joined: Wed Oct 16, 2013 2:05 pm

Instance 0 issue

Post by nomaxpi » Wed Oct 16, 2013 2:33 pm

Hi,

I setup Scrutinizer a few days ago and noticed all my devices show an Instance 0 interface. It shows a fairly large amount of volume from the interface list in the status window, however when I click on the interface to view a report, nothing shows up. I also looked at the raw flows and it shows nothing as I would expect.

This is happening on all devices I send flows from ....

Nexus 7010
Riverbed Steelhead 6050
Cisco 2900

All v9 Netflow

Specifically the Riverbeds show in and out traffic where as the Ciscos are only showing inbound traffic on instance 0. Also the Riverbeds appear to show incorrect interface names and associated flows/traffic.

Any help sorting out the Riverbed issues would be great!

Thanks

dalet0
Posts: 77
Joined: Mon May 17, 2010 11:52 am
Location: Biddeford, ME
Contact:

Re: Instance 0 issue

Post by dalet0 » Wed Oct 16, 2013 4:56 pm

Hi Max,

As per our phone conversation.

Instance 0 aggregates communication with the device itself or all traffic that can not be associated with a specific interface.

Also based on the raw flows, we determined that Scrutinizer was interpreting the data correctly, and a possible fix to the issue, would be to configure the Steelheads to use transparent mode so that flow packets would be forwarded with the necessary interface information.

I also pointed out disabling "top talkers".

Please let us know if this worked for you.

Danny

mkrygeri
Posts: 97
Joined: Tue Aug 02, 2005 9:47 am

Re: Instance 0 issue

Post by mkrygeri » Wed Oct 16, 2013 5:24 pm

Generally instance 0 means traffic to the local device, however, this can also be caused by bugs in certain devices. This will also occur when there are "middlebox" functions such as WAAS.
If you do a bidirectional report specifically for interface 0, does this traffic appear to be wrong?
Sometimes your interface will be listed but there will be no inbound traffic shown due to the interface 0 problem. If you switch to "outbound" on the interface, do you see traffic?

There are a lot of things that could be happening here. Some more details may help me figure this out for you.


Are all your interfaces doing this or is it just a few?
Is the traffic in question destined to the routers themselves?
When you look at outbound on the same interface, do you see data?
If so. is the source interface 0 on the outbound data?
What does a report look like when you choose only interface 0?


Thanks,
Mike K

Post Reply

Who is online

Users browsing this forum: No registered users and 4 guests