Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
363
Views
3
Helpful
4
Replies

SIG Policy unexpected behavior

jjpark
Level 1
Level 1

‎05-12-2024 02:50 AM

Hi.

We had weird problem.

 

- vManage, vSmart, vBond : 20.9.4 (Manage 20.9.4.1)

- C1111-4P SD-WAN Mode : 17.9.4a

 

Only 3 traffic go to SIG by traffic policy (O365, Webex, Windows Update)

But one of our custom application which was defined as a internal app went to SIG.

jjpark_0-1715507358659.png

Of course, We had service loss. (It shouldnt go to SIG)

Is it false positive of NBAR ?

 

I would appreciate anyone gives me reply.

Thank you.

 

1 person had this problem
4 Replies 4

ivances
Level 1
Level 1

‎05-15-2024 10:55 AM

I am having similar problems, have you managed to fix it? Can you share the Traffic Data? I am running 20.9.4 & 17.9.4a too.

jjpark
Level 1
Level 1
In response to ivances

‎05-15-2024 04:35 PM

Hi.

Sadly, I cant share it. Because Its customer's information.

 

I havent fixed it yet.

The TAC Case is in progress, but I think It is hard problem to TAC as well.

0 Helpful

ivances
Level 1
Level 1

‎05-16-2024 02:39 AM

Hi jjpark,

I understand. Just, are you sure you indicate that this custom application is being sent by DIA or by the SD-WAN overlay?

I too have a case with TAC for this problem, I even see private traffic being categorized as "ms-office-365" or Custom Applications that have nothing to do with it.

I understand that it has already been done by TAC, but could you do a FIA Trace and share it? That way I can find out if it's the same for you as it is for me.
These are the commands you have to use:

debug platform condition ipv4 10.154.17.1/32 both (((Note: I understand that this is the IP of your application, if not, please put the IP of the application)))

terminal lenght 0

debug platform packet-trace packet 8192 fia-trace data-size 4096

debug platform condition start

[[[[[[[[[[[[[[[[[[Generate traffic against the application during a minute]]]]]]]]]]]]]]]]]]

debug platform condition stop

show platform packet-trace summary

show platform packet-trace packet all decode

The FIA Trace brings data from the NBAR categorization and the Traffic Data sequence in which this flow is matched.

It would also be great to have a PCAP of that flow and DNS resolution, since NBAR uses SNI (SSL) and DNS response.

0 Helpful

jjpark
Level 1
Level 1
In response to ivances

‎05-22-2024 05:50 PM

Hi.

Sorry for my late reply.

 

Actually we already fixed by traffic policy.

even we tried to do our best to make same situation, we failed.

 

I am really sorry.

Customers Also Viewed These Support Documents