Hello,
The NTA and NBA Server components should both be deployed once at least - and they can also be deployed to subordinate NTA servers that can offload some of the work capturing flows and analyzing the data. That is why there is a second copy of these components in the "Undeployed" state. You could install DMA on a subordinate server and then "Deploy" these components to that system as well. Please ignore these entries when you do not need them.
The respective non-server components (Network Traffic Analyzer and Network Behavior Analyzer) can only be deployed on the master server, and are responsible for storing your NTA/NBA configurations and related information.
In summary, you should have 4 deployed components for NTA/NBA:
- 1x Network Traffic Analyzer, 1x Network Traffic Analyzer Server
- 1x Network Behavior Analyzer, 1x Network Behavior Analyzer Server
IMC installation always has two steps to get a component running - "Install" and "Deploy". Make sure you have one of each of these components in the "Deployed" state in DMA. "Installed" but "Not Deployed" means that the files needed to "Deploy" the component were installed on the master server, but they will not run anything until they have been "Deployed" somewhere.
Components/Modules can be deployed by right-clicking on them in Deploy tab of DMA, and selecting "Deploy" or "Batch Deploy" (for multiple at once)
Please see here for overall NTA documentation. Filter for Configuration Examples and you will find a lot of guides on how to configure NTA and sFlow/NetStream/NetFlow accordingly for NTA.
See for example: https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-c05240898&withFrame
Justin
Working @ HPE
Hello,
Can you please describe the devices and configuration in more detail? What flow protocol are you setting up, and what configuration was done to set it up on the device?
Troubleshooting starts by doing a Wireshark packet capture on the server where NTA is deployed, and verifying that the traffic flow packets arrive on the NTA server in the first place. If it's clear that they arrive, the next step is to check the NTA configurations and make sure it was configured in an appropriate way for the protocol you are using.
Justin
Working @ HPE
Hello,
Please make sure you apply the proper filtering on Wireshark. It would be best to filter for the port you are using for sFlow, so the filter for sflow on default port would be: udp.port eq 6343
This should show you some sFlow packets arriving. If they are not decoded properly by Wireshark, make sure to right-click one of the packets and select "Decode As", then change the "Current" field to SFLOW and save.
I don't think the Baseline/Threshold settings are causing issues here. These settings and more can be enabled/disabled via NTA Settings > Parameters.
Note that when adding the device to NTA, you do NOT need to specify "sFlow Settings" to Enabled for the device - this is optional to have IMC configure sFlow on various ProCurve/ArubaOS models. It will still recognize sFlow from the device when this setting is Disabled.
Also make sure that your NTA Server configuration has the sFlow port configured and the device selected further down on the page.
(See also https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-c05240898&withFrame on page 5 & 6)
Justin
Working @ HPE
Hello,
If you don't see any traffic arriving on 6343 or otherwise from the devices, please check if Windows Firewall/other Firewall on the IMC Server or in between IMC and Device permits the port.
You should also verify the device is configured properly with show/display sflow commands.
Here is an example from ProCurve output along with my comments behind //
show sflow agent
SFlow Agent Information
Version : 1.3;HP;A.15.16.0021
Agent Address : 192.168.0.15 // this is the IP configured for the sFlow agent, it should match the management IP for IMC
Source IP Selection : Outgoing Interface // source-IP selected here based on routing table, could be set manually, it should end up using the interface of the Agent Address above to reach IMCshow sflow 1 destination
SFlow Destination Information
Destination Instance : 1
sflow : Disabled // sFlow is disabled on my switch, it should show 'Enabled' for you
Datagrams Sent : 0 // Some datagrams should be sent if it is working on the device
Destination Address : 0.0.0.0 // This should match the IP address of the IMC server
Receiver Port : 6343 // This should be 6343, or IMC NTA Server settings need to be reconfigured
Owner :
Timeout (seconds) : 0
Max Datagram Size : 1400
Datagram Version Support : 5If it still doesn't work, can you share this output from your ProCurve/ArubaOS switch?
Justin
Working @ HPE
Hello,
NTA "Add Device" with the sFlow Setting Disabled generally means that you do not need NTA to configure sFlow for you on the devices. Enabled implies that when you deploy the server (on the Server Settings, checking the box for the device and clicking Deploy) with the device, it will attempt to use SNMP SET to configure an sFlow instance on the device. This only works on some device models that support it and is normally not required to get sFlow working.
Please ignore FTP Username and Password. This is not necessary here, and would require that you install and configure a third-party FTP Server (such as FileZilla) on the IMC server, then configure a folder and username + password, that you will enter here. FTP is only needed when you are using the NTA Probes, which are essentially a software that can be used to capture mirrored traffic on a network where it is not possible to use sFlow or NetFlow/NetStream. Otherwise it can be left blank.
Your sFlow configuration looks fine based on your output. Although you are using the NetStream port 9020 instead of 6343 for sFlow on Comware and that is unusual. As for the ProCurve, could it be that sFlow is not enabled with the correct IP to reach IMC? Datagrams sent = 0
Here are sample CLI Scripts for sFlow configuration on ProCurve and Comware 5 switches that could be used in IMC (Configuration Center > Configuration Templates > Add CLI Script). Variables added where appropriate. If running the commands manually, please manually replace all variables like ${agent-ip} below.
Comware 5:
sflow agent ip ${agent-ip}
sflow collector ${collector-id (1-3)} ip ${nta-ip} description imcserver
interface ${interface (like G1/0/3 or Ten2/0/4)}
sflow flow collector ${collector-id (1-3)}
sflow sampling-rate ${sampling-rate (1000-5000)}
sflow counter collector ${collector-id (1-3)}
sflow counter interval ${counter-interval (in seconds, 2-86400)}
quitProCurve/ArubaOS:
configure
sflow ${collector-id (1-3)} destination ${nta-ip} 6343
sflow ${collector-id (1-3)} sampling ${sample-interfaces (enter the port range or 'all')} ${sampling-rate (50-16441700)}
sflow ${collector-id (1-3)} polling ${polling-interfaces (enter the port range or 'all')} ${polling-interval (in seconds, 20-2147483647)}
You could try deploying these on your switches as needed and see if that helps. The Comware template only includes a single interface but could be edited and expanded with more interfaces or interface-range as needed.
Justin
Working @ HPE