I use the available xFlow sensors of PRTG to monitor traffic of various devices. For example, to measure bandwidth usage data on a Cisco router, I add NetFlow sensors. In the NetFlow sensor settings, there is an option Active Flow Timeout (Minutes).
I am not quite sure what this flow timeout setting means. How does the active flow timeout affect monitoring with jFlow and NetFlow sensors? Does the flow timeout value influence the sensor results?
This article applies to PRTG Network Monitor 19 or later
The Active Flow Timeout and its effects
When you add an xFlow sensor of the type NetFlow v5, NetFlow v9, IPFIX, or jFlow v5 to PRTG (this does not apply to the sFlow sensor), no matter if you use the default or the custom xFlow sensor types, you will see the Active Flow Timeout (Minutes) setting. This field is required to be able to add an xFlow sensor and to monitor xFlows, so you have to understand what the active flow timeout actually is.
Usually, it is sufficient to enter an active flow timeout value in the sensor settings that is 1 minute greater than defined in the target device from where you want to measure xFlows. So check the settings on the target hardware device, look up the active flow timeout value, and enter a greater number into the active flow timeout field of your xFlow sensor. You do not have to try any other value than this, it works correctly in most cases.
Note: You might have to experiment with this setting only if your device does not stick to its own active flow timeout setting and sends data too late, for example. Also note that the NetFlow sensors of PRTG are designed to work with Cisco devices. Routers, switches, and other devices from other vendors where the implementation differs can also lead to issues with xFlow monitoring.
Flows and the Active Flow Timeout
Basically, a flow is a sequence of data packets that belong together (that is one data transfer, for example, one file) and that are sent between two devices in a network. With the active flow timeout setting, your device divides this flow into small pieces so that not all information of the flow needs to be sent at the end of data delivery.
For example, consider a 1-GB download within 60 minutes. This would be one flow with a volume of 1 GB after 60 minutes. The active flow timeout now segments this flow into several small flows. If the timeout is set to 5 minutes in the settings of the target device, this would result in 12 flows with 85 MB. The “small” flows are each delivered in 5-minute intervals.
This is what your device does as a result of its active flow timeout setting. PRTG needs to know this value to be aware that it can take this long until flow data arrives.
Active Flow Timeout and its meaning for PRTG
Consider the example with the 1-GB download within 60 minutes again.
Without the active flow timeout, PRTG would already have completed data processing for the preceding 59 minutes. PRTG would store and display the 1-GB data transfer as a whole after 60 minutes, the end of the transmission, because it cannot retroactively change any data. For example, this is exactly what happens when monitoring the Cisco ASA, because the ASA does not support active flow timeout.
With the active flow timeout of the router, the delay until data arrives at PRTG is the active flow timeout value at maximum, even if the delivery lasts longer. So PRTG could record the received volume in a timelier manner but still at the end of the interval of a separated flow.
This is where the active flow timeout setting of xFlow sensors in PRTG plays its important role. The Active Flow Timeout setting makes PRTG delay data processing for the respective xFlow sensor by the value you set for the active flow timeout.
With this approach, PRTG can record the received volume as close as possible to the time it is delivered. For example, if an xFlow sensor in the scenario above has a scanning interval of 60 seconds, the 5-minute flow will be consistently distributed over the last 5 measurements of the sensor.
Although this approach delays the data display in PRTG for this period of time because there might still be incoming data for this interval for which PRTG is waiting, it is the best option to show xFlow data as close to time-based reality as possible.
Active Flow Timeout value in PRTG
As mentioned above, in most scenarios it will be sufficient to have an active flow timeout value in the settings of an xFlow sensor that is set to 1 minute greater than the active flow timeout in the configuration of the monitored device. If you set the active flow timeout in PRTG too low, the router will send xFlow data for intervals that are already completed in PRTG. This data will be ignored because PRTG cannot retroactively enter data into the database. This will result in lost xFlow information.
You will get the following ToDo ticket in this case:
The NetFlow sensor has received and dropped flows with a time stamp older than the timespan defined by the active flow timeout. To resolve this issue, make sure that the sensor's Active Flow Timeout setting matches the flow timeout set in the flow exporter device. For more information, see https://kb.paessler.com/en/topic/66485. (code: PE083)
Note: After a restart of the PRTG probe on which your xFlow sensor is running, it will show an Unknown status with the message This sensor has not received data for […]. This is by design and normal behavior because data display is delayed for the timeout that is set in the sensor settings. As soon as this amount of time is over, the sensor will change to an Up status again.
Note: If the target device sends incorrect time information that results in wrong monitoring data, try to use 0 as active flow timeout. This will ignore the start and stop information of an xFlow as provided by the device and account all data to the current point in time. It might result in spikes but all data will be captured.
Additional Information for Cisco Users
For Cisco users, if you want to check the configured Active Flow Timeout you may use the following command:
show ip cache flow
The output will look like the following:
Router# show ip cache flow
IP packet size distribution (1103746 total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.249 .694 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.000 .000 .027 .000 .027 .000 .000 .000 .000 .000 .000
IP Flow Switching Cache, 278544 bytes
35 active, 4061 inactive, 980 added
2921778 ager polls, 0 flow alloc failures
Active flows timeout in 10 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 21640 bytes
0 active, 1024 inactive, 0 added, 0 added to flow
0 alloc failures, 0 force free
1 chunk, 1 chunk added
last clearing of statistics never
The relevant information is:
| Active flows timeout in 10 minutes |