In vRNI - I am just trying to find traffic from a particular IP address in the last 24 hours.
For example:
flow where Source IP Address = 12.68.2.77
Even though I know from firewall logging that this traffic came into NSX - my vRNI query
fails to see anything. Is my query malformed?
Thank you.
Hi,
Your query is valid and should produce results. Does your vRNI have flow data? If you only type in 'flows' - does that get results? The search bar should also auto-complete the available IP addresses. If that autocomplete doesn't show the IP, it's not in the vRNI database.
If you do have flow information, maybe the IP address is translated somewhere out of reach of the flow info?
I typed in simply "flow" and it returned 67000 flows. I think you may be right that flows are not enabled
on some edges but are on others. How can I determine if flows are enabled? I am particularly interested
in flows to the vServers of a particular edge/load balancer. Thank you.
VRNI data sources part, vDS switches are selected as well as physical switches individually per Vcenter. During the installation and initial configuration, the vDS switches are selected, so is it possible that some Edges are connected to another dVS as Edge vDS and these are not selected enabled for Netflow connection?
Also based on Pools, NSX Edge Load Balancer Transparent mode selection could be important, by default NSX edge creates another flow to the Pool Members using its own internal IP, so on VRNI filtering the source IP of the Load balancer may show additional flows for these non-transparent Pools.
Transparent indicates whether client IP addresses are visible to the backend servers. If Transparent is not selected (default value), backend servers see the traffic source IP as a Load balancer internal IP. If Transparent is selected, source IP is the real client IP and NSX Edge must be on the path of the server response. A typical design is to have the server default gateway be the NSX Edge.
These links could be helpful
https://thewificable.com/2017/09/20/installing-vrealize-network-insight/
On the Accounts and Data Sources page click Add source again in the upper right-hand portion of the web page. Next you want to enter the NSX Manager as a data source. Follow the prompts to add the NSX Manager(s) to vRNI. Select the additional options: