Traffic Monitor Reports Incorrect Values?

xcentric · Post by **xcentric** » Fri Feb 18, 2011 10:33 am

I'm scratching my head on this one.

I have several servers all with gig nics. My traffic monitor tests are all set to Mbits/sec. I believe that on a gigalan you cannot breach past 90% utilization because of tcp overhead. So about 900/Mbits/sec at full capacity.

Why does the monitr report numbers greater than this during a test. For instance my tests report around 1896 at full capacity? This number was reached by pulling an 8 gig file across the lan at around 90/MBytes/sec.

Under Options > Miscelaneous I have diplay traffic using Kbit/Mbit units.
Under my tests I have the monitors set for Mbits/sec as well.

I believe I am missing some vital information here. Please advise.

KS-Soft · Post by **KS-Soft** » Fri Feb 18, 2011 11:56 am

H'm, may be there is bug somewhere, in HostMonitor or remote SNMP agent

What version of HostMonitor do you use? Test it performed by HostMonitor or RMA?
What OS is installed on target servers? Service Pack?

Regards
Alex

xcentric · Post by **xcentric** » Fri Feb 18, 2011 2:20 pm

HM 8.82 is installed on Server 2008 R2.
I understand now that it is recommended to install on 2003 SP2. Until now I havent had any issues with running on 2008 R2.

Test was performed by HM local agent against its own nic.

As for the other servers they had some history before I changed them from kb to mb. Forgot that resetting statistics doesnt reset history. For that you have to do an export import/replace. They read correctly now that I got rid of the history. I will continue to monitor though.

I guess the moral of the story here is to use the software as instructed. I got caught up in testing that i failed to realize that why would HM be written to monitor its own nic. End users do weird things.

Sorry Alex.

KS-Soft · Post by **KS-Soft** » Fri Feb 18, 2011 3:01 pm

As for the other servers they had some history before I changed them from kb to mb. Forgot that resetting statistics doesnt reset history. For that you have to do an export import/replace. They read correctly now that I got rid of the history. I will continue to monitor though.

So "too_big_value" was displayed by history charts, not log records?
H'm, I think "Kbit->Mbit" option changing should not lead to such problem.
While "KB/min -> KB/sec" or "Mbit/min -> Mbit/sec" option change may lead to inacuracy in historical data... or if you change network interface for the test.

Sorry Alex

No problem

Regards
Alex

xcentric · Post by **xcentric** » Fri Feb 18, 2011 8:54 pm

Allright maybe I'm not crazy.

I have an agent v4.12 inside a clients network. The agent is installed on server 2003 x64 SP2. The client has 2 t's bonded to make a 3mb pipe.

HM is installed like I mentioned before on 2008 R2.

Have 3 traffic test for the agent pointed to their firewall. This morning I did an export/import/replace to get rid of the history.

As stated before both options > misc > traffic is set to Mbit units and traffic test properties is set to Mbits'sec as well.

Here are the max results thus far:
Traffic in/out WAN1 = 1792
Traffic in WAN1 = 12069
Traffic out WAN1 = 2 (This seems normal.)

The normal idle reply's for the three tests show 0.01 Mbit.

KS-Soft · Post by **KS-Soft** » Tue Feb 22, 2011 8:14 am

We cannot reproduce the problem

May be RMA cannot retrieve information from SNMP Agent using 64bit counters so it tries to use 32bit counters that cannot provide accurate information about GBit interface.

When you setup Network Traffic test and open "Choose network interface" dialog, do you see message like "64bit supported: No" in this dialog below "Get info" button?

Or perhaps you have specified "SNMP v1" protocol in SNMP profile selected for this test? Then HostMonitor/RMA requests 32bit counters instead of 64bit counters.

Regards
Alex

xcentric · Post by **xcentric** » Tue Feb 22, 2011 10:52 am

it tries to use 32bit counters that cannot provide accurate information about GBit interface.

The WAN interface's link is 100mb from a hardware firewall SonicWALL TZ100.

When you setup Network Traffic test and open "Choose network interface" dialog, do you see message like "64bit supported: No" in this dialog below "Get info" button?

64-bit counters are supported. It reports yes.

Or perhaps you have specified "SNMP v1" protocol in SNMP profile selected for this test? Then HostMonitor/RMA requests 32bit counters instead of 64bit counters.

The SonicWALL TZ100 supports snmp v1 and v2c. We are using the default HM credentials profile supplied when adding the traffic test which is set for snmp v2c.

I am puzzled by this. I also have a SonicWALL (different model) on my business network that also is reporting crazy numbers like in=22795, out=23918, in/out=49461.

My business SonicWALL is a local test and the clients SonicWALL is an agent test. So it would appear that it doesnt matter whether the test is by HM or an agent. I am also using the latest firmware for the firewall and the client is not.

What about the traffic tests running every 5 seconds? Would that create an issue?

xcentric · Post by **xcentric** » Tue Feb 22, 2011 11:25 am

Alex,

I found something that might be of interest. I decided to pull some logs to see what values are being reported.

images removed

What is shown is from a days worth of a log file and the only instance during that day that the monitor spiked this high. You can see why this would be screwing with the histors reports.

KS-Soft · Post by **KS-Soft** » Tue Feb 22, 2011 11:31 am

I do not see images.
You may send them to support@ks-soft.net.

Regards
Alex

KS-Soft · Post by **KS-Soft** » Tue Feb 22, 2011 12:04 pm

Statuses: Ok, Ok, Ok, Host is alive...
----------------------------------
This looks like device resets its system time or returns wrong counter for in/out packets, e.g. it returns 500000 and then just 1000 so HostMonitor thinks device was rebooted. Normally this is not a problem because then all counters starts from 0.

Could you setup SNMP Get test to check sysUpTime, OID 1.3.6.1.2.1.1.3.0 and record all results into log (Full logging mode)?

Regards
Alex

xcentric · Post by **xcentric** » Tue Feb 22, 2011 12:45 pm

Ok, I created 2 snmp get sysUpTime tests one per firewall with full private logging.

I calculated the current uptime values using this calculation
Converting time ticks to days = ((((sysUpTime Value /60 seconds )/60 minutes )/24 hours )/100 ticks per second) = number of days.

Firewall 1 sysUpTime = 173567049 = 20.08877881944444 Days
Firewall 2 sysUpTime = 56280186 = 6.513910416666667 Days

So if the log images I sent were from yesterday and the uptime has not been reset what does this mean? Would restarting HM or the agent have this effect?

KS-Soft · Post by **KS-Soft** » Tue Feb 22, 2011 4:33 pm

So if the log images I sent were from yesterday and the uptime has not been reset what does this mean?

If update and traffic counters on device were reported correctly all the time, this means there is some error in HostMonitor code that we do not see.

Would restarting HM or the agent have this effect?

Restart would generate "Host is alive" status for all traffic monitor tests, not one test at 11:26 another at 11:35. Also this should not lead to wrong traffic results.
Also its pretty easy to check HostMonitor system log and see if HostMonitor was restarted or not.

Regards
Alex

xcentric · Post by **xcentric** » Mon Mar 14, 2011 10:12 pm

Just following up here.

Got some new values since resetting the history. Crazy I tell you.
There is a time pattern here. I am still investigating. No response neccessary.

The following was taken from a 24 hour period. Notice that is happens at the same minute but different hours.

3/13/2011 12:51:50 AM Ok 0.03 Mbit
3/13/2011 12:52:00 AM Host is alive
3/13/2011 12:52:05 AM Bad 45432.24 Mbit
3/13/2011 12:52:12 AM Ok 0.01 Mbit
6 Hours Later
3/13/2011 6:52:07 AM Ok 0.02 Mbit
3/13/2011 6:52:15 AM Host is alive
3/13/2011 6:52:21 AM Bad 44658.27 Mbit
3/13/2011 6:52:27 AM Ok 0.10 Mbit
3 Hours Later
3/13/2011 9:52:13 AM Ok 0.01 Mbit
3/13/2011 9:52:21 AM Host is alive
3/13/2011 9:52:27 AM Bad 48366.18 Mbit
3/13/2011 9:52:33 AM Ok 0.03 Mbit
2 Hourd Later
3/13/2011 11:52:16 AM Ok 0.02 Mbit
3/13/2011 11:52:25 AM Host is alive
3/13/2011 11:52:31 AM Bad 49182.75 Mbit
3/13/2011 11:52:37 AM Ok 0.10 Mbit
3 Hourd Later
3/13/2011 2:52:23 PM Ok 0.03 Mbit
3/13/2011 2:52:31 PM Host is alive
3/13/2011 2:52:37 PM Bad 46895.19 Mbit
3/13/2011 2:52:43 PM Ok 0.02 Mbit
2 Hours Later
3/13/2011 4:52:26 PM Ok 0.01 Mbit
3/13/2011 4:52:35 PM Host is alive
3/13/2011 4:52:41 PM Bad 43545.61 Mbit
3/13/2011 4:52:47 PM Ok 0.01 Mbit
3 Hours Later
3/13/2011 7:52:32 PM Ok 0.02 Mbit
3/13/2011 7:52:41 PM Host is alive
3/13/2011 7:52:47 PM Bad 47489.87 Mbit
3/13/2011 7:52:53 PM Ok 0.01 Mbit
2 Hours Later
3/13/2011 9:52:37 PM Ok 0.02 Mbit
3/13/2011 9:52:45 PM Host is alive
3/13/2011 9:52:51 PM Bad 43983.90 Mbit
3/13/2011 9:52:57 PM Ok 0.01 Mbit
1 Hour Later
3/13/2011 10:52:39 PM Ok 0.01 Mbit
3/13/2011 10:52:47 PM Host is alive
3/13/2011 10:52:53 PM Bad 44431.19 Mbit
3/13/2011 10:52:59 PM Ok 0.10 Mbit

KS-Soft · Post by **KS-Soft** » Tue Mar 15, 2011 11:06 am

What values were reported by that additional SNMP Get test (OID 1.3.6.1.2.1.1.3.0) at the same time?
=================
3/13/2011 12:51:50 AM
3/13/2011 12:52:00 AM
3/13/2011 12:52:05 AM
3/13/2011 6:52:07 AM
3/13/2011 6:52:15 AM
3/13/2011 6:52:21 AM
....
=================

Regards
Alex

xcentric · Post by **xcentric** » Tue Mar 15, 2011 4:45 pm

I'm sorry. I'm not following what you are asking.
What SMMP Get test are you refering to?