03-02-2016 02:32 PM
In the following message, what is the significance of the number in Profiler Queue Size Limit Reached : Server=vISE45; Profiler Error Message=16170 Forwarder endpoints dropped; Does it mean 16170 end attribute where dropped?
Solved! Go to Solution.
03-03-2016 11:24 AM
It is the number of events dropped by Profiler since the queue limit was reached. Basically, profiler is receiving more endpoint data than can be processed. Make sure that you don't have excessive profiling data. Best practices include limiting profiling to a single PSN and avoiding SPAN / Netflow.
Regards,
-Tim
03-03-2016 11:24 AM
It is the number of events dropped by Profiler since the queue limit was reached. Basically, profiler is receiving more endpoint data than can be processed. Make sure that you don't have excessive profiling data. Best practices include limiting profiling to a single PSN and avoiding SPAN / Netflow.
Regards,
-Tim
03-03-2016 11:36 AM
Any suggestions when if disabling Netflow isn't an option? redundant environment. Some PSNs behind LB, but not all.
03-03-2016 11:40 AM
First thing that comes to mind is that some platforms give you the ability to rate-limit the amount of Netflow data sent to the collector. I would look to see if the platform you're using has that ability.
Regards,
-Tim
03-03-2016 03:48 PM
So the challenge with filtering Netflow for profiling purposes is chance you will not send the critical info needed to classify an endpoint. If newer Netflow code able to filter flows based on specific packet or protocol match, then that would be ideal. Sampled Netflow would certainly increase chance of missing key traffic.
General best practices include:
I do cover some of this in original ISE Profiling Design Guide.
@Jeff: The first question before enabling Netflow for profiling is "Is there a specific requirement that only Netflow can address". Unless used to detect very specific types of endpoints or events, its use is typically not recommended due to potential of overrunning event queue.
If Netflow deemed critical for your use case, please reach out to internal Cisco teams for further discussion on how to best address this requirement. If customer requiring this support, please direct request to your local sales team for escalation to internal teams.
/Craig
02-27-2023 06:40 AM
For anyone doing a google search for the error and trying to find Craig's link like I was, it has since been moved and looks like it lives here now: https://community.cisco.com/t5/security-knowledge-base/ise-profiling-design-guide/ta-p/3739456?dtid=osscdc000283
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide