What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general.

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
More than 500,000 users rely on Paessler PRTG every day. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags


View all Tags

What is the Active Flow Timeout in Flow sensors?

Votes:

0

I use the available flow sensors of PRTG to monitor traffic of various devices. For example, to measure bandwidth usage data on a Cisco router, I add NetFlow sensors. In the NetFlow sensor settings, there is an option Active Flow Timeout (Minutes).

I am not quite sure what this flow timeout setting means. How does the active flow timeout affect monitoring with jFlow and NetFlow sensors? Does the flow timeout value influence the sensor results?

active-flow-timeout error-code flow flow-timeout important jflow netflow pe083 sensors settings

Created on Oct 7, 2015 5:09:31 PM by Gerald Schoch [Paessler Support]

Last change on Jan 4, 2023 2:07:06 PM by Brandy Greger [Paessler Support]



6 Replies

Accepted Answer

Votes:

2

This article applies as of PRTG 22

The Active Flow Timeout and its effects

When you add a flow sensor of the type NetFlow v5, NetFlow v9, IPFIX, or jFlow v5 to PRTG (this does not apply to the sFlow sensor), no matter if you use the default or the custom flow sensor types, you will see the Active Flow Timeout (Minutes) setting. This field is required to be able to add a flow sensor and to monitor flows, so you have to understand what the active flow timeout actually is.

Usually, it is sufficient to enter an active flow timeout value in the sensor settings that is one minute greater than defined in the target device from where you want to measure the flows. So check the settings on the target device, look up the active flow timeout value, and enter a greater number into the active flow timeout field of your flow sensor. You do not have to try any other value than this, it works correctly in most cases.

Note: You might have to experiment with this setting only if your device does not stick to its own active flow timeout setting and sends data too late, for example. Also note that the NetFlow sensors of PRTG are designed to work with Cisco devices. Routers, switches, and other devices from other vendors where the implementation differs can also lead to issues with flow-based monitoring.

Flows and the Active Flow Timeout

Basically, a flow is a sequence of data packets that belong together (that is one data transfer, for example, one file) and that are sent between two devices in a network. With the active flow timeout setting, your device divides this flow into small pieces so that not all information of the flow needs to be sent at the end of data delivery.

For example, consider a 1-GB download within 60 minutes. This would be one flow with a volume of 1 GB after 60 minutes. The active flow timeout now segments this flow into several small flows. If the timeout is set to five minutes in the settings of the target device, this would result in 12 flows with 85 MB. The “small” flows are each delivered in 5-minute intervals.

This is what your device does as a result of its active flow timeout setting. PRTG needs to know this value to be aware that it can take this long until flow data arrives.

Active Flow Timeout and its meaning for PRTG

Consider the example with the 1-GB download within 60 minutes again.

Without the active flow timeout, PRTG would have already completed data processing for the preceding 59 minutes. PRTG would store and display the 1-GB data transfer as a whole after 60 minutes, the end of the transmission, because it cannot retroactively change any data. For example, this is exactly what happens when monitoring the Cisco ASA, because the ASA does not support active flow timeout.

With the active flow timeout of the router, the delay until data arrives at PRTG is the active flow timeout value at maximum, even if the delivery lasts longer. So PRTG could record the received volume in a timelier manner but still at the end of the interval of a separated flow.

This is where the active flow timeout setting of flow sensors in PRTG plays its important role. The Active Flow Timeout setting makes PRTG delay data processing for the respective flow sensor by the value you set for the active flow timeout.

With this approach, PRTG can record the received volume as close as possible to the time it is delivered. For example, if a flow sensor in the scenario above has a scanning interval of 60 seconds, the 5-minute flow will be consistently distributed over the last five measurements of the sensor.

Although this approach delays the data display in PRTG for this period of time because there might still be incoming data for this interval for which PRTG is waiting, it is the best option to show flow data as close to time-based reality as possible.

Active Flow Timeout value in PRTG

As mentioned above, in most scenarios it will be sufficient to have an active flow timeout value in the settings of a flow sensor that is set to one minute greater than the active flow timeout in the configuration of the monitored device. If you set the active flow timeout in PRTG too low, the router will send flow data for intervals that are already completed in PRTG. This data will be ignored because PRTG cannot retroactively enter data into the database. This will result in lost flow information.

You will get the following ToDo ticket in this case:

The NetFlow sensor has received and dropped flows with a time stamp older than the timespan defined by the active flow timeout. To resolve this issue, make sure that the sensor's Active Flow Timeout setting matches the flow timeout set in the flow exporter device. For more information, see https://kb.paessler.com/en/topic/66485. (code: PE083)

Note: After a restart of the PRTG probe on which the flow sensor runs, it will show the Unknown status with the message This sensor has not received data for […]. This is by design and is normal behavior because data display is delayed for the timeout that is set in the sensor settings. As soon as this amount of time is over, the sensor will change to the Up status again.

Note: If the target device sends incorrect time information that results in wrong monitoring data, try to use 0 as active flow timeout. This will ignore the start and stop information of a flow as provided by the device and account all data to the current point in time. It might result in spikes but all data will be captured.

Created on Oct 7, 2015 5:13:36 PM by Gerald Schoch [Paessler Support]

Last change on Jan 4, 2023 2:07:26 PM by Brandy Greger [Paessler Support]



Votes:

0

For Cisco users, if you want to check the configured Active Flow Timeout you may use the following command:

show ip cache flow

The output will look like the following:

Router# show ip cache flow
IP packet size distribution (1103746 total packets):
   1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480
   .249 .694 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
    512  544  576 1024 1536 2048 2560 3072 3584 4096 4608
   .000 .000 .027 .000 .027 .000 .000 .000 .000 .000 .000
IP Flow Switching Cache, 278544 bytes
  35 active, 4061 inactive, 980 added
  2921778 ager polls, 0 flow alloc failures
  Active flows timeout in 10 minutes
  Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 21640 bytes
  0 active, 1024 inactive, 0 added, 0 added to flow
  0 alloc failures, 0 force free
  1 chunk, 1 chunk added
  last clearing of statistics never

The relevant information is:

Active flows timeout in 10 minutes

Best Regards,

Created on Mar 23, 2016 7:31:28 AM by Luciano Lingnau [Paessler]



Votes:

0

Hello PRTG Team

We use NetFlow with an active flow timeout of 60 sec on our router to gain more accurate network utilisation. We have configured the active flow timeout in the PRTG sensor of 120 sec. Problem is now, that PRTG reports too much information. We get around +10% volume reported on our NetFlow sensors than we get on our SNMP sensors. To avoid that, best thing would be to set the timeout to 65 sec. But there is no way since PRTG only lets us set the timeout in minutes. Is there maybe a ini file or a registry tweak to adjust this value to our needs?

Thanks and best regards

Created on Apr 15, 2016 1:33:55 PM



Votes:

0

Hello pcbona,
thank you for your post.

You may perceive slight differences in the way that SNMP and Flow report data, but hourly or daily volume readings should roughly match. As for the active flow timeout in PRTG it should be 2 minutes if the router is configured with 1 minute, and values in seconds are not allowed (not even via "hacks").

We're used to seeing SNMP Traffic sensors displaying more bandwidth than Netflow Sensors, or Flow sensors displaying twice as much traffic when there's no ingress/egress filtering.

Best Regards,

Created on Apr 18, 2016 10:45:01 AM by Luciano Lingnau [Paessler]



Votes:

0

Good afternoon,

I received the "Netflow data droppped (code: PE082)" ticket, pointing me to this page. The source is a sFlow V5 sensor, but I don't find the Active Flow Timeout setting for this sensor type.

Best regards

Created on Apr 25, 2019 9:45:17 AM



Votes:

0

Hello Sven,

The Active Flow Timeout is only available for the NetFlow sensor (V5, V9, IPFIX) or jFlow V5 sensor.

Please consider checking the connection using the sFlow Tester instead. In case of further issues, please don't hesitate to contact us via email to [email protected].

Best regards,
Sebastian

Created on Apr 25, 2019 2:54:39 PM by Sebastian Kniege [Paessler Support]




Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.