sFlow Sensor and L2TP traffic

Hello,

thank you very much for your KB-Post. Could you try updating to the newest version to see if that resolves the issue? If the newest version (14.2.9) isn't available for the auto-update you can download the software from the Customer Service Center. In order to access the download link to the newest version please log into your online account and download it there. Please use the email address the license is registered to and your password to log in here: https://service.paessler.com/en/login/

Once you have downloaded the newest version there, you can install it directly over the version currently running.  The configuration and database will not be affected by installing the newer version over the old and the configuration is automatically backed up before this process.

best regards

Hi Torsten, thx for your reply. I updated to v14.2.9.1798 but after a couple of hours there's still no data showing up. I also deleted and recreated the sensor - still no luck.

Can you think of something else? I'm pretty sure I tried everything .. Thx again, Marcus.

To test if proper and compatible SFlow packets are arriving at the PRTG host, please use our SFlow Tester

Which results do you get in the tester? Please forward a screenshot or the logs from the tester.

Torsten,

nothing is being recorded in the sFlow Tester. I guess that means the switch is not sending sFlow version 5 data (??).

Thx - M.

It probably sends sflow that is not compatible to what PRTG expects. If you could upload a screenshot showing the results on the Tester, we may be able to say where exactly it fails.

Torsten, my apologies for the late reply - got sidetracked with other things.

I can certainly upload a screenshot, but as I said, nothing is displayed (just an empty screen). Can you confirm that PRTG is able to capture L2 traffic via sFlow?

Thx - M.

That most likely will mean the Sflow-Packets your device sends, are not compatible to PRTG.

Torsten - I would agree with that statement if I wasn't getting any data at all, but that's not the case - I am getting data, just not all of it.

I confirmed with Dell (which took a lot longer than it should...) that the switch does implement sFlow v5.

I reiterate my question: Can you confirm that PRTG is able to capture L2 traffic via sFlow?

Thx - M.

Layer2 traffic is not monitored by PRTG.

Torsten, I did a Wireshark capture and the switch is indeed sending the sFlow samples for the L2TP/IPSec traffic.

I compared one of these packets to another sFlow packet that is being recorded correctly in PRTG and can find no differences - other than the obvious (different protocols contained in the sampled packets).

Can I send you a screenshot of the L2TP flow sample and could you look over it why PRTG would not "understand" this sample?

Thx in advance - M.

I apologize, I just saw that my last response missed the crucial not. Layer2 traffic is not monitored by PRTG.

Hello,

I am having the same issue. We are trying to monitor and report on L2L IPSEC traffic, which is Layer 3 IP with protocol 50 (ESP). Packet captures display endpoint IP addresses, but nothing is displayed in PRTG channel. Is ESP tunnel mode considered Layer 2? It is encapsulated in Layer 3 IP.

Sorry, the sensor does not see the encapsulated Layer3 information, because it already disregards the Layer2-Packets.

This is too bad. I setup another Sflow collector to match Protocol 50 with the endpoint IP, and it records the data. I attempted using the channel definition of ((Protocol[50] and (SourceIP[x.x.x.x] or DestinationIP[x.x.x.x]), but it still did not record the same data as the other collector.

Then most likely the incoming traffic does not match the definition here. You can enable the stream logging on the Sflow-Sensor for all traffic to get the full details on the incoming traffic and help with such filter definitions.