Follow

Traffic Graph showing no traffic (0 Mbps)

The traffic graphs on the Cognito Brain are populated using the traffic data captured by the Sensors (or the capture interfaces on the Brain itself if operating in Mixed mode).

The traffic graphs are intended for use as basic health checks and therefore show a fixed duration.  For long term bandwidth monitoring or detailed traffic analysis SNMP or Netflow may be used to monitor the ports on the switch or tap aggregation solution providing the data stream.

There are a number of reasons an appliance may legitimately show no traffic in these graphs:

  1. The Sensor appliance is either newly paired or being updated.
  2. There is insufficient traffic arriving at the sensor to show on the graph.
  3. A vSensor is running on an unsupported hypervisor.
  4. The sensor is inoperable.

Newly paired or Sensors being updated

Newly connected appliances may take 5-15 minutes to upload the first traffic graph sample to the Brain.  Brain traffic graphs are updated every five minutes and Sensors will not upload traffic graphs while executing an update.

Check the 'Last Seen' time on the Traffic page and the Manage, Sensors page.  You should see this update every five minutes.

Insufficient traffic

The Vectra Traffic Monitoring page displays traffic in 1 Mbps increments, rounding down to the next whole integer of Mbps.  If the overall traffic received for any sample is less than 1 Mbps the traffic will display as 0 Mbps.

Screenshot_2019-04-15_at_12.49.08.png

Reception of traffic may be validated at the sensor CLI prompt (default credentials found in this article) using the 'show traffic stats' command:

vscli > show traffic stats

The statistics for each interface will be shown, including received packet errors, total packet count and interface state (up/down).  Traffic is being received if the Packets Received counter increments between command executions.

Low traffic rates may be normal depending on the network configuration and expected traffic throughput.  Low traffic rates may also be an indicator of a misconfigured SPAN port or tap aggregation system, therefore switch and tap aggregation configurations should be validated if traffic is not being received at the expected throughput volumes.

Unsupported Hypervisor configuration

vSensors have a specific list of requirements which must be followed for the vSensor to operate correctly.  In particular:

  • The minimum number of CPUs must be met.
  • The minimum RAM must be reserved in the hypervisor to prevent this RAM being allocated to other VMs.
  • The minimum disk space must be reserved for the vSensor.
  • The SSE4.2 and POPCNT instructions must be presented to the vSensor.  This restriction affects all vSensors though is enforced in release 4.11 and later, where the software will not operate if these instructions are missing.

Vectra has become aware of a feature in vSphere whereby vMotion is permitted across hypervisors with different CPUs by disabling certain CPU instructions individually on the VMs.

This feature is referred to as EVC (Enhanced vMotion Compatibility) and restricts CPU instructions on all VMs in a cluster to the minimum instructions supported on the oldest CPU in the cluster.  If any CPU in the cluster does not support SSE4.2 or POPCNT then all hypervisors in that cluster disable those features from all VMs causing all vSensors on that cluster to become inoperable.

Support for disabling EVC for individual VMs varies by vSphere version.  VMWare support should be contacted for the best method to achieve this for your version of vSphere.  Should you require any assistance from Vectra on this matter please do not hesitate to contact Vectra Support through the normal support channels.

Inoperable Sensor

Vectra finds that almost all Sensors being reported as inoperable are a direct result of misconfigured packet capture setups rather than an underlying issue with the Sensor.

Should a Sensor appear to be inoperable it is imperative that the above 'Insufficient Traffic' section is followed first to ensure that the packet capture configuration is correct and operating normally.

If the packet capture setup is correct and no traffic is observed on the Sensor the following information is extremely useful when contacting Vectra Support:

  • The serial number of the affect Sensor and paired Brain device.
  • Confirmation of whether the Remote Support VPN is enabled for the Brain device.
  • Details of the failure, including outputs of 'show traffic stats' and 'show system-health' from the Sensor console.
  • Details of any error messages logged to the console.
Was this article helpful?
0 out of 0 found this helpful

Download PDF

Have more questions? Submit a request

0 Comments

Article is closed for comments.