Why is Data in NFA is showing 1/10th, 1/100th, or 1/1000th of what it should be showing?

Document ID : KB000006252
Last Modified Date : 11/04/2019
Show Technical Document Details

NFA is showing data far less than expected.  For example data may be displayed as 1/10th, 1/100th, 1/1000th of what SNMP Statistics show.  

For example a report may be showing data rates in the kbps range when it should be in the mbps range.

NFA 9.3.6 and Later

This can occur when a router is using a Sampling Rate when sending Netflow, meaning it sends 1 out of every x number of flows.  If NFA does't detect the sampling rate properly, data will be displayed as far less then expected.  Later Cisco IOS version adjusting their sampling rate format so that it was not detected by NFA.  

  • If you are running NFA 9.3.3 or earlier, you can upgrade to 9.3.6 in which several enhancements have been made to detect the Netflow Sampling rate using the new format Cisco uses.  Before upgrading to NFA 9.3.6, please review the NFA 9.3.6 Upgrade Guide.



  • If the sampling rate is still not being detected in NFA 9.3.6 you can manually set the sampling rate in the Harvester.routing_engines table using commands like the example below on the Harvester server.  The example below uses 1000 as the sampling rate and as the router address.  Once it is set, you will have to recycle the CA NFA Harvester service for the change to take effect. 

mysql harvester

update routing_engines set samplerateoverride=1000 where routerid in(select routerid from routers where inet6_ntoa(router)='');