Why does my NFA stop displaying data for a router if it cannot be SNMP polled?

Document ID : KB000032785
Last Modified Date : 14/02/2018
Show Technical Document Details

Question: 

Why does my NFA stop displaying data for a router if it cannot be SNMP polled?

 

Answer

You may notice that a device in NFA, despite not being able to be SNMP polled, will display data for a period of time and then all of sudden stop displaying data.  This can happen when NFA detects that a router has been rebooted, and NFA is unable to poll it.  NFA will think the router has been rebooted when it sees a reset in sysuptime as found in the NetFlow data, or if it sees a reset in Flow Sequence.  

When NFA detects a reboot it will will set routers into a 'RebootRefresh' state in the poller.routers table and trigger and SNMP poll.  If that poll is successful the device will still collect and display data.  If the poll fails, the Harvester will discard all flows for this device until it has a successful SNMP poll.

You can determine if a router is in this state by running the query below on your harvester:

mysql -P3308 -D poller -t -e "select state from routers where address='x.x.x.x';"

If the output says "RebootRefresh", all flows will be discarded for this device.

NFA discards flows because it doesn't know if the ifindex values changed on the device after a reboot, without being able to SNMP poll the device.  If ifindex values change on a device and NFA is unaware there is the risk of mapping data to the wrong interface.  So instead flows are dropping

The best solution to this is to find out what is blocking SNMP polls from the NFA Harvester, to the device, whether it be the wrong profile in NFA, or ACL settings on the router.

There is a workaround if you absolutely cannot get SNMP to poll one or more devices, however it is a setting that will affect all devices on the Harvester where you make the change. There is a "ignoreReboots" setting in the harvester.parameter_descriptions table, which if set to "true" will essentially ignore the reboot sequence above and continue to collect data.  The risk you run is that if a router does reboot and new interfaces are added or changed, NFA will map data to the wrong interfaces or create duplicate interfaces.  The only fix from that point would be to delete the device and let it come back in clean to ensure it is mapped properly.  With that being said we highly discourage using this workaround unless you have no other choice and are will to accept losing data after a router reboot is detected.

To set the "ignoreReboots" setting to "true" run the command below on your Harvester:

mysql -P3308 -D harvester -t -e "update parameter_descriptions set defaultvalue='true' where parameter='ignoreReboots';"

Then recycle the "CA NFA Harvester" service.  Devices that have not already been put into the 'RebootRefresh' state will not go into that state.  Devices that already in that state should be deleted from the Admin->Enable Interfaces screen and allow them to come in fresh.