Solved: NetFlow ip cache timeouts

Uhlig.Tim · ‎04-25-2018

Hey guys,

I was searching for best practics regarding ip cache timeouts, but I didn't find something.

Independently which system (ASA, Switch or Router), what did you configure for ip flow cache active timeoutes and ip flow cache inactive timeoutes? Or do you know something like a best practice?

The reason why I would like to have this info is, I have some peaks in my monitoring system (PRTG) which could be caused by those timeout configuration.

cheers Tim

Ben Walters · ‎04-25-2018

It really depends on the data you want to collect, but there is a limitation in PRTG for the active timeout. 60 minutes (unless you want to use 0 to collect everything) is the max you can configure in PRTG and it tells you to set this higher than the active timeout on the device being monitored.

In our setup with PRTG we use the default active timeout of 30 min and in PRTG we set the timeout to 31 min and it seems to work fine for us.

The inactive timeout is a little more important if you want to look at the stats directly on the switch. We use the inactive timeout of 5 min and when we log into a switch we know we are getting at least the last 5 min of data when we look at the flow cache directly.

I would say that if you are only using PRTG to check the netflow stats you can probably just keep the default value since it should capture all active flows and there wouldn't be much need for inactive flows after the fact.

View solution in original post

Ben Walters · ‎04-25-2018

It really depends on the data you want to collect, but there is a limitation in PRTG for the active timeout. 60 minutes (unless you want to use 0 to collect everything) is the max you can configure in PRTG and it tells you to set this higher than the active timeout on the device being monitored.

In our setup with PRTG we use the default active timeout of 30 min and in PRTG we set the timeout to 31 min and it seems to work fine for us.

The inactive timeout is a little more important if you want to look at the stats directly on the switch. We use the inactive timeout of 5 min and when we log into a switch we know we are getting at least the last 5 min of data when we look at the flow cache directly.

I would say that if you are only using PRTG to check the netflow stats you can probably just keep the default value since it should capture all active flows and there wouldn't be much need for inactive flows after the fact.

Diana Karolina Rojas · ‎04-25-2018

Hello!

I recommend you to read this post https://communities.cisco.com/thread/34957?start=0&tstart=0

and this other https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/netflow/Cisco_NetFlow_Configuration.pdf

Active Timeout: The active timeout covered earlier should be set to 60 seconds. This is because most reporting tools provide a granularity level at one minute intervals. On a few occasions, vendors have forgotten to implement an active time out resulting in long lived flows and abnormal spikes in the graphs when the data is used to build trends. An active timeout routine should be built into the flow export.
Inactive Timeout: Flows that not active for a period of time (E.g. 15 seconds) should be exported from the flow cache.

Do not forget to rate/mark useful answers.

Regards,