ACC traffic does not sum up correctly for different time ranges

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

ACC traffic does not sum up correctly for different time ranges

L3 Networker

Hi,

 

Issue:

Lets say we filter out web-browsing in ACC to check the traffic amount used by that specific app.

We check three different ranges:

  • Week1 - 300 MB & 8k sessions
  • Week2 - 700 MB & 18k sessions
  • Week3 - 1 GB & 23k sessions

... and now we select Week1+Week2+Week3 custom range, basically it contains everything within these weeks.

  • SUM - 1.3 GB &  31k sessions

Gives a feeling like the result is Week1+Week3, with Week 2 somehow excluded.

 

Next: Lets take Week2+Week3 as a custom range:

  • Week2+Week3 - 1.7 GB & 41k sessions

Next: Week1+Week2 as a custom range:

  • Week1+Week2 - 1G & 26k sessions 

So, do you have any idea guys, why that summed up scenario gives us wrong result if seperately numbers seem fine?

 

Tested on 7.0.2, but quicly checked that out on 7.1.2 - looked like it has similar result.

 

I've checked other Live articles, but they are mostly talking about differences in stats from different databases, but in this case, as far as my understanding goes, data is gathered from traffic summary database (I guess weeklytrsum), so the source should be same same. And, yes, you can reproduce the same by generating a Custom Report with the same parameters from Traffic Summary database.

 

 

 

8 REPLIES 8

L3 Networker

I will probably bump this - can someone please confirm this behaviour so I don't feel out of my mind?

Community Team Member

 

Are you possibly hitting the 100k line limit ?

 

In scenarios where the 100k lines limit is reached some of the information will not be displayed on the ACC or data may be inaccurate :

 

ACC-is-Not-Accurate-During-Heavy-Traffic-Log-Generation

 

Eitherway, I've tested this in a small lab and cannot confirm the behaviour you're seeing.  

Everything adds up nicely for 3 weeks in my lab.

 

 

 

 

 

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Thanks for your input, looked at this article previously, but not sure if that applies to this case - the traffic is stored within that database already (I suppose weeklytrsum), so the 100k line limit should not be the problem, because if trying the to sum it up part by part - it seems fine, so the information is there and recorded. I have a feeling is a matter of how its processed in ACC, but still just a guess. I will try that on one more Palo today, so will update later. 

@nikoo What platform?  I've got similar issues, but it only occurs when trying to view logs in Panorama on logs fed from my 5060.

As far as I've looked, it happens on 5020 (7.1.2), 3020 (7.0.6, much more less deviation here, but it may be matter of sample taken), 3020 (7.0.2), 5020 (6.1.11). I guess it is a PAN limitation, and it may be the one Kiwi mentioned, but, well, that sucks. It may be different story with Panorama, but again - just guessing.

 

Edit: Just tested on my lab box - 3050 with 7.1.2 - traffic there is generated rarely and the result for filtering out ssl traffic:

Week1 - 192.2 MB & 9.5k sessions

Week2 - 154.2 & 19.2k sessions

Week3 - 314MB & 28.6k sessions

-----

And when range is expanded to Week1+Week2+Week3 we get 707 MB & 66.9k sessions, although manual sum counts up 661 MB & 57.3k sessions. Meh. 

I just tried this on a VM-300 running 7.1.2:

 

week1 115.9G + 79.3k sessions

week2 230.7G + 154.4k sessions

week3 133.2G + 112.8k sessions

 

Then I selected a custom range that included all 3 weeks:

 - 479.9G + 347.0k sessions

 

Lines right up for me.  

 

(edit:  I'm not saying that you're not experiencing a problem...  just wanted to put in my .02 and let you know that it's not all platforms or all software versions).  

Isn't ACC only report those sessions closed during the time period that selected and the policies that are logged ?

 

If the sessions are long live (sessions that are started for 4 weeks ago and transfer data in a pretty slow rate), when those sessions are closed, it will show up on ACC report.

 

  E

L3 Networker

Will poke this thread around.

Time has passed, so maybe someone has seen similar situation and filed a support case?

  • 2995 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!