IBM Support

QRadar: Packet Counts from Cisco Nexus 7000 NetFlow v9 Sources Report Incorrect Data

Troubleshooting


Problem

Cisco Nexus 7000 switches at version 4.2.6 or lower can export NetFlow v9 flow records to QRadar with incorrect packet counts, high durations, or zero byte counts.

Cause

There is a known defect in Cisco Nexus 7000 Switches where NetFlow v9 exports are incorrect to QRadar. This issue is caused by the Cisco Nexus 7000 Switch and how it reports NetFlow v9 data to QRadar. There is no APAR exists to resolve this issue.

Environment

Cisco Nexus 7000 Switches on v4.2.6 or lower.

Resolving The Problem

This issue is outlined as Cisco defect # CSCtk82138. To resolve this issue administrators should take one of the following actions:

  1. Update your Cisco Nexus 7000 Switch to release 4.2.8. For more information, contact Cisco Support.
  2. Administrators who are unable to update and are on NX-OS 4.2.6 or lower should configure their Cisco Nexus 7000 Switch to send NetFlow v5 formatted data to QRadar. For more information, see your Cisco documentation.


-----
Where do you find more information?

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"--","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2;7.3","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018

UID

swg21622514