Troubleshooting the integration between UIM and NFA (NetFlow Analysis) can be difficult; this document attempts to shed some light on the integration workflow and provides logical steps for troubleshooting.
The integration between UIM and NFA relies on a single probe called nfa_inventory. This probe connects to the NFA console and provides information to UIM Discovery about the interfaces which are monitored by NFA.
Unlike many "gateway" probes, the nfa_inventory probe does not provide any QoS data related to NetFlow - it simply publishes the inventory of interfaces, using probe_discovery messages on the bus, for consumption by the discovery_server.
The data, in turn, is not gathered or stored in the UIM database; the USM portlet in UMP collects and displays the Flow data in real-time by communicating directly to the NFA Console and retrieving the current data. The USM communicates with the nfa_inventory probe to retrieve the location of the NFA console.
The process can be described as follows:
1. The nfa_inventory probe is deployed in the environment and configured to connect to an NFA Console server.
2. The inventory data regarding the interfaces monitored by NFA is submitted to UIM discovery.
3. The discovery_server, if applicable, correlates the interfaces to existing network devices in the inventory.
4. When USM initializes, the portlet performs a get_info callback vs. the nfa_inventory probe; the results of this callback include the hostname/IP of the NFA Console server.
5. When a user selects an interface in USM, a lookup is performed internally to determine the appropriate interface ID to use when querying NFA.
6. The USM portlet contacts the NFA Console directly and performs a SOAP request for the relevant Flow data for the interface in question.
7. The NFA Console returns an XML report in response to this request.
8. The report data is converted to charts/graphs and displayed in USM.
It is important to understand this process/workflow in order to effectively troubleshoot the integration; a failure anywhere along this path will ultimately yield the same result, which is that Flow data will not appear in USM whatsoever. Unfortunately, due to the nature of the integration, very little information is available in the logs to assist with troubleshooting efforts, so it is usually necessary to manually inspect all the moving parts of the integration to ensure proper configuration and connectivity.
The very first step is to examine the wasp.cfg and look at the <ump_common> section. There should be a configuration key here called "nfa_inventory" with the full UIM address of the nfa_inventory probe (e.g. /MyDomain/MyHub/hubrobot/nfa_inventory). Make sure the address is correct here.
The next step is to ensure that there is connectivity between the following endpoints:
For testing connectivity between USM and nfa_inventory, first determine the IP and port that nfa_inventory runs on, from the perspective of the UMP server. To do this, follow these steps:
1. On the UMP server, highlight the controller probe in Infrastructure Manager or Admin Console, and run the Probe Utility (CTRL+P in IM, or select it from the menu in Admin Console.)
2. Run the callback "nametoip" and provide the full UIM Address for the nfa_inventory probe as seen in the wasp.cfg, e.g. /MyDomain/MyHub/hubrobot/nfa_inventory
3. An IP and port will be returned by the callback, e.g. 10.1.23.100:48009
4. Ensure that you can telnet from the UMP server to the given IP/port combination. You can also open a Web Browser to http://(ip):(port) and verify that the browser attempts to connect indefinitely. If you receive a "connection refused" or "timed out" message, this generally indicates that a firewall is blocking this connection. The browser should simply stay at "connecting...." for an indefinite amount of time.
The USM must be able to connect to the nfa_inventory probe's IP/port in order to obtain the NFA Console location, so this connectivity must be allowed.
For testing connectivity between USM and the NFA Console, simply ensure that you can telnet from the UMP Server to port 80 on the NFA Console Server, or open a browser directly on the UMP server and ensure that you can connect to the NFA Console webpage. The USM makes SOAP calls directly to the NFA Console on port 80 to retrieve report data, so this connectivity must be allowed.
If you have verified that this connectivity is allowed, but Flow data is still not present in USM, the next step is to ensure that USM recognizes the interfaces in question as being associated with NFA.
To do this, you will need to enable the USM Debugger.
1. Launch USM and click anywhere in the USM window to make the flash application active.
2. Press CTRL and forward slash ( / ) on your keyboard simultaneously.
3. A debugger window will appear with the names of several methods which can be debugged. Scroll down all the way to the bottom and locate the "search" method.
4. Once you locate the method, enable the XML debugging by selecting the third "bug" icon from the right, as seen here:
Close the debugger window and then navigate to a device for which you expect to see flow data - select an appropriate interface and navigate to the 'Advanced' tab.
At this point, a green bug icon should appear in the upper right corner of USM. Click this icon and a window will pop up showing the debug traces.
In this window, double-click the method "searchForInterface" to bring up the XML output. Copy/paste this to a new window (e.g. Notepad) for ease of searching.
Search through the output and ensure that you see the following contained within the <iface> section:
If you do not see this, that most likely indicates that there is a discovery correlation problem - the interface you are viewing in USM has not been properly correlated with the device published by the nfa_inventory probe, and therefore USM does not know it should be querying NFA for the data.
The most common cause of this is that the network device in question has already been published by a different probe - most likely snmpcollector or discovery_agent - and the original device has a different origin than the nfa_inventory probe. It is important that the origins match in order for correlation to occur - the snmpcollector, nfa_inventory, and appropriate discovery_agent must all be published from the same UIM origin.
If you do see this, but still do not see any data in USM, the next step is to verify that you actually have data in NFA. If you've gotten this far, and everything checks out, but no data is displayed, it's very likely that there is no current data in NFA for the same interface. Locate the interface in NFA and ensure that the graphs are populating correctly.
Important Note: When you are finished debugging, make sure to bring up the USM Debugger again and disable the debugger that was enabled before. This will prevent the green bug icon from constantly appearing in USM.