New Question
 
 
PRTG Network Monitor

Intuitive to Use.
Easy to manage.

200.000 administrators have chosen PRTG to monitor their network. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free PRTG
Download >>

 

What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general. You are invited to get involved by asking and answering questions!

Learn more

 

Top Tags


View all Tags


What is the Active Flow Timeout in Flow sensors?

Votes:

0

Your Vote:

Up

Down

I use the available flow sensors of PRTG to monitor traffic of various devices. For example, to measure bandwidth usage data on a Cisco router, I add NetFlow sensors. In the NetFlow sensor settings there is an option Active Flow Timeout in Minutes.

I am not quite sure what this flow timeout setting means. How does the active flow timeout affect monitoring with jFlow and NetFlow sensors? Does the flow timeout value influence the sensor results?

active-flow-timeout error-code flow flow-timeout jflow netflow pe083 sensors settings unknown

Created on Oct 7, 2015 5:09:31 PM by  Gerald Schoch [Paessler Support]

Last change on Feb 8, 2018 12:30:29 PM by  Luciano Lingnau [Paessler Support]



4 Replies

Accepted Answer

Votes:

2

Your Vote:

Up

Down

This article applies to PRTG Network Monitor 15 or later

The Active Flow Timeout and Its Effects

When you add a NetFlow sensor (V5, V9, IPFIX) or a jFlow V5 sensor to PRTG, no matter if you use the default or the custom xFlow sensor types, you will see the Active Flow Timeout (Minutes) setting. This field is required to be able to add a flow sensor and to monitor flows, so you have to understand what the flow timeout actually is.

Usually, it is sufficient to enter a flow timeout value in the sensor settings that is 1 minute greater than defined in the target device from where you want to measure flows. So check the settings on the target hardware device, look up the active timeout value, and enter a greater number into the active flow timeout field of your flow sensor. You do not have to try any other value than this, it works correctly in most cases.

Note: You might have to experiment with this setting only if your device does not stick to its own flow timeout setting and sends data too late, for example. Please note that PRTG’s NetFlow sensors are designed to work with Cisco devices. Routers, switches, and other devices from other vendors where the implementation differs can also lead to issues with flow monitoring.

Flows and the Active Flow Timeout

Basically, a flow is a sequence of data packets that belong together (which is one data transfer, for example, one file) and are sent between two devices in a network. With the active flow timeout setting your device separates this flow into small pieces so that not all information of the flow needs to be sent at the end of data delivery.

For example, consider a 1 GB download within 60 minutes. This would be one flow after 60 minutes with 1 GB volume. The active flow timeout now segments this flow into several small flows. If the timeout is set to 5 minutes in the settings of the target device, this would result in 12 flows with 85 MB. The “small” flows are delivered in 5 minute intervals each.

This is what your device does as a result of its flow timeout setting. PRTG needs to know this value to be aware that it can take this long until flow data arrives.

Active Flow Timeout and the Meaning for PRTG

Consider the example with the 1 GB download within 60 minutes again. Without the flow timeout, PRTG already would have completed data processing for the preceding 59 minutes. PRTG would store and display the 1 GB data transfer as a whole after 60 minutes, the end of the transmission, because it cannot change any data retroactively. For example, this is exactly what happens when monitoring the Cisco ASA, because the ASA does not support active flow timeout.

With the flow timeout of the router, the delay until data arrives at PRTG is the flow timeout value at maximum, even if the delivery lasts longer. So PRTG could record the received volume in a timelier manner but still at the end of the interval of a separated flow.

This is where the active flow timeout setting of flow sensors in PRTG plays its important role. The Active Flow Timeout setting makes PRTG to delay data processing for the respective flow sensor by the value you set for the flow timeout.

With this approach PRTG can record the received volume as close as possible to the time it is delivered. For example, if a flow sensor in the scenario above has a scanning interval of 60 seconds, the 5 minutes flow will be consistently distributed over the last 5 measurements of the sensor.

Although this approach delays the data display in PRTG for this period of time because there still might be incoming data for this interval for which PRTG waits, it is the best option to show flow data as close to timely reality as possible.

Active Flow Timeout Value in PRTG

As mentioned above, you will be happy in most scenarios with an active flow timeout value in the settings of a flow sensor that is set 1 minute greater than the flow timeout in the configuration of the monitored device. If you set the flow timeout in PRTG too low, the router will send flow data for intervals that are already completed in PRTG. This data will be ignored because PRTG cannot enter data into the database retroactively, resulting in lost flow information.

You get the following ToDo ticket in this case: The netflow sensor has received and dropped flows with a timestamp older than the timespan defined by the active flow timeout. Please ensure that the active flow timeout from the sensor setting matches the flow timeout set in the flow exporter device (code: PE083)

Note: After a restart of the PRTG probe on which your flow sensor runs it will show an Unknown status with the message This sensor has not received data for […]. This is by design and normal behavior because data display is delayed for the timeout set in the sensor settings. As soon as this amount of time is over, the sensor will turn to an Up status again.

Note: If the target device sends incorrect time information that results in wrong monitoring data, please try to use 0 as active flow timeout. This will ignore the start and stop information of a flow as provided by the device and account all data to the current point in time. It might result in spikes but all data will be captured.

Created on Oct 7, 2015 5:13:36 PM by  Gerald Schoch [Paessler Support]

Last change on May 17, 2017 10:13:34 AM by  Gerald Schoch [Paessler Support]



Votes:

0

Your Vote:

Up

Down

For Cisco users, if you want to check the configured Active Flow Timeout you may use the following command:

show ip cache flow

The output will look like the following:

Router# show ip cache flow
IP packet size distribution (1103746 total packets):
   1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480
   .249 .694 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
    512  544  576 1024 1536 2048 2560 3072 3584 4096 4608
   .000 .000 .027 .000 .027 .000 .000 .000 .000 .000 .000
IP Flow Switching Cache, 278544 bytes
  35 active, 4061 inactive, 980 added
  2921778 ager polls, 0 flow alloc failures
  Active flows timeout in 10 minutes
  Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 21640 bytes
  0 active, 1024 inactive, 0 added, 0 added to flow
  0 alloc failures, 0 force free
  1 chunk, 1 chunk added
  last clearing of statistics never

The relevant information is:

Active flows timeout in 10 minutes

Best Regards,

Created on Mar 23, 2016 7:31:28 AM by  Luciano Lingnau [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Hello PRTG Team

We use NetFlow with an active flow timeout of 60 sec on our router to gain more accurate network utilisation. We have configured the active flow timeout in the PRTG sensor of 120 sec. Problem is now, that PRTG reports too much information. We get around +10% volume reported on our NetFlow sensors than we get on our SNMP sensors. To avoid that, best thing would be to set the timeout to 65 sec. But there is no way since PRTG only lets us set the timeout in minutes. Is there maybe a ini file or a registry tweak to adjust this value to our needs?

Thanks and best regards

Created on Apr 15, 2016 1:33:55 PM by  pcbona (0) 2



Votes:

0

Your Vote:

Up

Down

Hello pcbona,
thank you for your post.

You may perceive slight differences in the way that SNMP and Flow report data, but hourly or daily volume readings should roughly match. As for the active flow timeout in PRTG it should be 2 minutes if the router is configured with 1 minute, and values in seconds are not allowed (not even via "hacks").

We're used to seeing SNMP Traffic sensors displaying more bandwidth than Netflow Sensors, or Flow sensors displaying twice as much traffic when there's no ingress/egress filtering.

Best Regards,

Created on Apr 18, 2016 10:45:01 AM by  Luciano Lingnau [Paessler Support]



Please log in or register to enter your reply.


Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.