topic Re: Profiler Queue Size limited warning in Network Access Control

Profiler Queue Size limited warning

Jefkelle — Wed, 02 Mar 2016 22:32:07 GMT

In the following message, what is the significance of the number in Profiler Queue Size Limit Reached : Server=vISE45; Profiler Error Message=16170 Forwarder endpoints dropped; Does it mean 16170 end attribute where dropped?

Re: Profiler Queue Size limited warning

Timothy Abbott — Thu, 03 Mar 2016 19:24:21 GMT

It is the number of events dropped by Profiler since the queue limit was reached. Basically, profiler is receiving more endpoint data than can be processed. Make sure that you don't have excessive profiling data. Best practices include limiting profiling to a single PSN and avoiding SPAN / Netflow.

Regards,

-Tim

Re: Profiler Queue Size limited warning

jeffery.kelley — Thu, 03 Mar 2016 19:36:52 GMT

Any suggestions when if disabling Netflow isn't an option? redundant environment. Some PSNs behind LB, but not all.

Re: Profiler Queue Size limited warning

Timothy Abbott — Thu, 03 Mar 2016 19:40:49 GMT

First thing that comes to mind is that some platforms give you the ability to rate-limit the amount of Netflow data sent to the collector. I would look to see if the platform you're using has that ability.

Regards,

-Tim

Re: Profiler Queue Size limited warning

Craig Hyps — Thu, 03 Mar 2016 23:48:55 GMT

So the challenge with filtering Netflow for profiling purposes is chance you will not send the critical info needed to classify an endpoint. If newer Netflow code able to filter flows based on specific packet or protocol match, then that would be ideal. Sampled Netflow would certainly increase chance of missing key traffic.

General best practices include:

Limit Netflow export to specific interfaces where expecting devices of interest. If using to catch anomalous traffic, then look for choke points.
It is generally better to use a simple flow with minimal key fields like 5-tuple (source/dest ip/port and protocol) to limit the number of individual flow records.

I do cover some of this in original ISE Profiling Design Guide.

@Jeff: The first question before enabling Netflow for profiling is "Is there a specific requirement that only Netflow can address". Unless used to detect very specific types of endpoints or events, its use is typically not recommended due to potential of overrunning event queue.

If Netflow deemed critical for your use case, please reach out to internal Cisco teams for further discussion on how to best address this requirement. If customer requiring this support, please direct request to your local sales team for escalation to internal teams.

/Craig

Re: Profiler Queue Size limited warning

ab23 — Mon, 27 Feb 2023 14:40:09 GMT

For anyone doing a google search for the error and trying to find Craig's link like I was, it has since been moved and looks like it lives here now: https://community.cisco.com/t5/security-knowledge-base/ise-profiling-design-guide/ta-p/3739456?dtid=osscdc000283