VMware vRealize Network Insight FAQs

 

Prerequisites, Setup, Licensing, and Installation

    What are the resource requirements for vRealize Network Insight?

    For more information on Resource Requirements, see the vRealize Network Insight Installation Guide.


    What happens if I enter the incorrect key during vRealize Network Insight Proxy OVA deployment?

    The secret key is not validated during vRealize Network Insight Proxy OVA deployment. The deployment completes even with incorrect secret key. However, pairing can fail and vRealize Network Insight Proxy does not show up as detected on vRealize Network Insight UI.
    To correct the shared secret, log in to vRealize Network Insight Proxy CLI and run set-proxy-shared-secret command to set the correct secret key. This command replaces the old key with the new one, and consequently, vRealize Network Insight Platform detects vRealize Network Insight Proxy and pairs up.


    How do I configure DNS after vRealize Network Insight Proxy OVA is deployed?

    Log in to vRealize Network Insight Proxy CLI, and run setup command. This interactive command will provide the user an option to add or modify DNS after which the vRealize Network Insight Proxy will be reconfigured with the new DNS.


    How do I change the IP Address/Gateway/Netmask after vRealize Network Insight Proxy OVA is deployed

    Log in to vRealize Network Insight Proxy CLI and run setup command. This interactive command will provide the user an option to modify the IP address, gateway, netmask and so forth after which the vRealize Network Insight Proxy are reconfigured with new details.

    Note:

    • The IP address can only be changed before pairing of vRealize Network Insight Platform and vRealize Network Insight Proxy.
    • VM reboot is required, when Gateway IP subnet is changed.


    How do I find out vRealize Network Insight Proxy VM IP from the UI?

    Go to the Settings page and select vRealize Network Insight Infrastructure menu option. The IP address of both, vRealize Network Insight Platform and vRealize Network Insight Proxy VMs is displayed.


    What should I do if vRealize Network Insight Proxy is not detected in 5 minutes after deploying vRealize Network Insight Proxy OVA?

    Log in to vRealize Network Insight Proxy support console (see the vRealize Network Insight Command Line Reference Guide) and verify the following:

    • Verify vRealize Network Insight Platform pairing status with vRealize Network Insight Proxy using show-connectivity-status command.
    • If the pairing status is showing Failed, then the shared secret key specified during vRealize Network Insight Proxy OVA deployment could be wrong. To fix this problem, use set-proxy-shared-secret command to set the correct secret key. This command replaces the old key with the new one, and therefore, vRealize Network Insight Platform can detect vRealize Network Insight Proxy.
    • If the show-connectivity-status shows network reachability to vRealize Network Insight Platform as Failed, then verify whether vRealize Network Insight Platform is reachable from vRealize Network Insight Proxy VM using ping command.
    • If it is not reachable, then verify if the DNS, gateway and so on are configured correctly using show-config command.
    • If not, use setup command to modify the network configuration parameters.


    What should I do if I forget my login credentials?

    Please contact your Administrator. If you are an administrator, contact vRealize Network Insight support team.


    How do I change the login password?

    To change the login password:

    • Go to Administrator > Settings, and then click My Profile on the left pane.
    • On the Change Password page, fill in the required information and click Save.


    What do I do if I get the login screen before detecting the vRealize Network Insight Proxy VM?

    • This behavior is expected when the browser is refreshed or URL is opened in a new window before detecting the proxy.
    • Proceed with log in using credentials mentioned in email, license activation step-3 page will be displayed.


    Does vRealize Network Insight support multiple vCenter Server/NSX Manager?

    Yes, vRealize Network Insight supports multiple vCenter Server and NSX Manager.


    Which services of vRealize Network Insight need Internet access and why?

    vRealize Network Insight support remote home calling feature that requires Internet access. This feature or services allow the vRealize Network Insight team to gain a better understanding of customer environments and proactively troubleshoot or repair issues. The following services need Internet access:

    1. Upgrade Service: vRealize Network Insight uses this service to contact the remote upgrade host and pull in newly released bits as they become available. It is always enabled and work only when internet access is available.
    2. Metric service: Certain metrics related to key services and performance of vRealize Network Insight are periodically gathered and uploaded for the vRealize Network Insight Support team to monitor and identify any anomaly in the environment so that they can act before it impacts critical services. It can be enabled/disabled while deploying the vApp or through CLI later.
    3. Log Service: vRealize Network Insight uses this service to gather, compress, and upload telemetry data of different components for analysis by the vRealize Network Insight R&D team. It can be enabled/disabled while deploying the vApp or through CLI later.
    4. Support Service: This service establishes remote secured tunnels to the vRealize Network Insight support host that allow authorized personnel to remotely access and work on deployments. It is disabled by default and can be enabled/disabled through UI as well as CLI.
      Note: If the vRealize Network Insight platform is behind an Internet proxy, whitelist these domain names and ports: support2.arkin.net:443, logserver.vnera.com:443, and upgrade.vnera.com:443.


    How do I change from an Evaluation License to a Perpetual License?

    See the Change License section in the vRealize Network Insight 3.1.0 User Guide.

Back to top

Adding/Configuring vCenter Servers as Data Source

    What if I am getting a Request timed out message while adding vCenter Server using IP address?

    • Verify that the vCenter Server IP address is reachable from the vRealize Network Insight Proxy VM.
    • Log in to vRealize Network Insight Proxy CLI and use the ping to ensure that IP is reachable and telnet to ensure that the vCenter Server is reachable on port 443.
    • If vCenter Server is reachable, then retry adding.
    • If IP address is not reachable, then verify whether the gateway is correctly configured from vRealize Network Insight Proxy VM using command show-config.
    • If gateway is incorrect, then correct it using setup command


    What if I am getting a IP/FQDN is invalid message while adding vCenter Server?

    • Verify whether provided IP/FQDN for vCenter Server is correct.
    • Verify whether FQDN is reachable from vRealize Network Insight Proxy VM using ping command.
    • If it is not reachable, then verify if the DNS is configured correctly on vRealize Network Insight Proxy VM using nslookup FQDN and show-config command.
    • If DNS is incorrect, then correct it using setup command


    What privileges does the vRealize Network Insight Security and Operations Platform require?

    vRealize Network Insight requires the VMware vCenter Server credentials with the following privileges:
    Distributed Switch: Modify
    dvPort group: Modify


    What if I am getting error User does not have required privileges while enabling IPFIX on vCenter Server Data source page?

    vRealize Network Insight requires the VMware vCenter Server credentials with the following privileges to enable IPFIX:
    Distributed Switch: Modify
    dvPort group: Modify
    Please make sure that provided VMware vCenter Server user have permission on vCenter Server’s root folder and all of its child entities e.g all folders and all datacenters.


    How frequently is the data fetched from environment?

    vRealize Network Insight Proxy fetches data every 10 minutes from environment.


    How soon the analysis of data will start after adding the vCenter Server?

    Analysis of data starts right away after adding a vCenter Server. The product UI will show partial picture of data within few minutes which can take two hours to get complete.
    Note: Flow traffic data changes continuously and include at least 24 hours of data in its analysis.


    How do I clean up IPFIX settings in vCenter Server if I have deleted vRealize Network Insight OVAs?

    Using VMware vSphere Web Client:
    Go to Home > Networking > VDS (Name) > Netflow Settings. Remove vRealize Network Insight Proxy IP from Collector settings.
    Using VMware vSphere Windows Client:
    Go to Home > Inventory > Networking > VDS (Name) > Edit Settings. Remove vRealize Network Insight Proxy IP from Collector settings in Netflow tab. This step is required to be done for each VDS for which IPFIX is enabled.


    How do I clean up IPFIX configuration in vRealize Network Insight?

    In the vRealize Network Insight UI, go to settings > Data Sources, delete the vCenter Server. This removes IPFIX configuration done by vRealize Network Insight.

Back to top

Operations

    What do the numbers in the Traffic Distribution Pin represent?

    The numbers give an overview of the traffic distribution based on flow analysis.
    East-West (EW):
    East-West traffic as the percentage (%) of total group’s traffic
    Switched (% of EW):
    Switched traffic as the percentage (%) of East-West traffic
    Routed (% of EW):
    Routed traffic as the percentage (%) of East-West traffic
    Within Host (% of VM-VM):
    Traffic with source and destination on same host as percentage of virtual machine to virtual machine traffic
    VM to VM (% of EW):
    Virtual machine to virtual machine Traffic as percentage of East-West traffic
    Internet:
    Internet traffic as percentage of total group’s traffic

Back to top

IPFIX

    What is IPFIX?

    IPFIX is an IETF protocol for exporting flow information. A flow is defined as a set of packets transmitted in a specific timeslot, and sharing 5-tuple values - source IP address, source port, destination IP address, destination port, and protocol. The flow information may include properties such as timestamps, packets/bytes count, Input/output interfaces, TCP Flags, VXLAN Id, Encapsulated flow information and so on. This is often referred to as Netflow. However, IPFIX is the standard IETF protocol.


    What flow information is exported by the VDS?

    A VDS in vSphere environment can be configured to export flow information using IPFIX. Enable flow monitoring on all the port groups attached to the VDS. If packets arrive on port X of a VDS and exit from port Y, a corresponding flow record is emitted if flow monitoring is enabled on port Y. The direction of every flow record is set as Egress.


    How does vRealize Network Insight use IPFIX?

    vRealize Network Insight uses VMware VDS IPFIX to collect network traffic data. Every session has two paths.
    For example: Session A↔C has A→C packets and C→A packets.
    To analyze the complete information of any session, IPFIX data about packets in both the directions is required. Refer following diagram where VM-A is connected to DVPG-A and is talking to VM-C. Here DVPG-A will only provide data about the C→A packets, and DVPG-Uplink will provide data about A→C packets. To get the complete information of A’s traffic, Ipfix should be enabled on DVPG-A, DVPG-uplink.


    How do I troubleshoot vRealize Network Insight Flow Collection?

    1. Please ensure that the specific VDS and its DVPGs and Uplink properties has Netflow monitoring Enabled and the collector IP address is that of vRealize Network Insight Collector.
    2. IPFIX Netflow packets getting dropped in between by a firewall (NSX, Virtual or Physical).
      Please ensure that the Netflow packets destined for port 2055 on vRealize Network Insight Collector IP is allowed by any firewall that may be present in the route between ESXi Host and the vRealize Network Insight Collector.
    3. ESXi Host has ceased to send IPFIX Netflow packets.
      a. ESXi Host back off sending the Netflow packets after some time if port 2055 is not reachable. This may happen due to firewall dropping the packets.
    4. vRealize Network Insight Collector is not reachable by ESXi Host due to network routing problem.
      Please ensure that the proper route exist between ESXi Host and the vRealize Network Insight Collector.


    Which VMware KB articles should I be aware of, related to IPFIX?

    VMware ESXi 6.0 Update 1:
    http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2135956

    When is a service considered shared?

    Following ports are configured as shared:

    Protocol Port

    DNS

    53

    Bootpc

    68

    Kerberos

    110

    sunrpc

    111

    NTP

    123

    map

    143

    Imap3

    220

    SMTP

    25

    LDAP

    389

    IGMPv3Lite

    465

    syslog

    514

    Submission

    587

    syslog-conn

    601

    LDAPS

    636

    IMAPS

    993

    POP3S

    995

    NFS

    2049

    MSFT-GC

    3268

    MSFT-GC-SSL

    3269


    How do I Create a Support Bundle?

    See the support-bundle section in the vRealize Network Insight Command Line Reference Guide.


    How to Create read only Admin Role in Palo Alto Networks Panorama for XML API access?

    To add an Admin Role for XML API access:

    1. Select Panorama → Admin Roles
    2. Click to add a new Admin Role to open Admin Role Profile dialog box
    3. In Admin Role Profile dialog box
      a. Give a name to the role (for example, api-only-admin)
      b. Select the Role as Panorama.
      c. Disable all entries in the Web UI tab
      d. Enable all entries except Commit in the XML API tab
      e. Click OK to close the dialog box, a new Admin Role appears in the list with the name provided
      f. Click Commit to commit the changes to Panorama
    4. Assign this Admin Role to an administrative account.

Top of Page