Every once in a while we get a customer complaining about overstated or understated utilization in their reports. This is something no one should ever put up with.
There are a number of different reasons that NetFlow can become overstated; here are a few things to check:
* Is the interface speed correct? Our Free NetFlow Reporting tool displays percent utilization using the ifSpeed gathered via SNMP. It can also be manually over written. Make sure you verify the ifSpeed.
* Are your circuits burstable?
* Is there any non-IP traffic on the network (e.g. IPX, broadcasts, etc.)?
* Are you exporting duplicate flows? With the introduction of Flexible NetFlow, this is easy to do.
* Is the active timeout on your NetFlow exporters set correctly?
I had a customer send me the message below after chasing over stated utilization for weeks. He had numerous technical support calls with us and Cisco. We eventually did a packet capture and noticed duplicate flows in the capture. In other words, the flows were being exported twice to the same NetFlow Analyzer.
“Hi, Paul. The duplicate flow issue was ‘corrected.’ Not that I believe in coincidences, but the duplicate flows stopped the day after I talked with my WAN provider about whether or not they were doing anything that might cause this. They claim they did nothing to fix…”
If you are using our NetFlow Collector and need help resolving this issue, give us a call at 1-207-324-8805.
