locked
Gateway not receiving network traffic RRS feed

  • Question

  • Hi guys,

    We have the latest ATA (version 1.7.5757.57477) installed in our environment.

    I've configured the DCs Port Mirroring as the Source and the ATA Gateway as the Destination.
    The ATA Gateway as well as the DC are both running on the same Hyper-V Host (as recommended in order to mirror all the traffic from DCs to the ATA Gateway).

    Every few minutes I get the following message:

    Gateway not receiving network traffic:
    The Gateway "GatewayName" is not receiving mirrored network traffic. This might indicate that port mirroring from the Domain Controllers to Gateway "GatewayName" is mis-configured.


    Is there some additional steps that I've missed?

    Regards,
    Elie


    Monday, January 23, 2017 10:17 AM

All replies

  • Hi,

    please add more details about your configuration:

    • Hyper-V in cluster mode?
    • If you've Hyper-V cluster, did you configured affinity? 
    • If you've Hyper-V cluster, did you failover virtual server to other host?
    • What is your PM method (span, rspan, erspan)?
    • Did you validate PM with the general powershell script or by using netmon?

    You've some misconfiguration with your environment and you need to make sure that all requirements are configured well.

    Regards,
    Eli.



    Email:eshlomo9@hotmail.com;Twitter:https://twitter.com/EliShlomo1




    Monday, January 23, 2017 11:39 AM
  • Hi Eli,

    • Hyper-V in cluster mode?
      Yes
    • If you've Hyper-V cluster, did you configured affinity? 
      No but all DCs and the Gateway are always running on the same host. I've written a script that moves the DCs to the same Host where the Gateway is, this way they are all running on the same host.
    • If you've Hyper-V cluster, did you failover virtual server to other host?
      No I did not yet failover the VMs
    • What is your PM method (span, rspan, erspan)?
      Not sure about that but I think it's SPAN
    • Did you validate PM with the general powershell script or by using netmon?
      Both actually, the powershell script returned the following message:
      Port Spanning Success!
      At least one packet which was addressed to the DC, was picked up by the Gateway.
      A little noise is OK, but if you don't see a majority of successes, you might want to re-run.
      But I've noticed that 8 replies were noise so I am not sure the test is successful.
      And regarding NetMon, I've received data on the Gateway to and from the IP of the DC so I guess port mirroring is configured properly.

    Thank you for your reply :)

    Monday, January 23, 2017 12:31 PM
  • Hi,

    in a short for pm method:

    • span is when you copy network traffic from switch ports to another switch port on the same switch and the ata gateway and domain controllers is connected to the same physical switch
    • rspan is when your monitor network traffic from source ports distributed over multiple physical switches
    • erspan is when switch working at layer 3, it allow you to monitor traffic across switches without the need for vlan trunk

    The recommendations when you've Dc's, ATA and PM is:

    • virtual switch needs to support port mirroring
    • each domain controller running on the cluster in a vm with the ata gateway needs to configure with affinity between the domain controller and ata gateway

    When you've a 'little noise is ok' its not good enough because you need to receive all data. 
    Make sure that you're working with Microsoft best practice when you're configure port mirroring https://docs.microsoft.com/en-us/advanced-threat-analytics/deploy-use/configure-port-mirroring

    Regards,
    Eli.


    Email:eshlomo9@hotmail.com;Twitter:https://twitter.com/EliShlomo1

    Monday, January 23, 2017 1:09 PM
  • Hello Elie,

    Please make sure you have configured the Gateway settings on the ATA Console after installation.

    Please follow the steps below for checking that.

    1. Log in to ATA Console
    2. Open the page for Configuration
    3. Choose Gateways, and choose and click the name of Gateway
    4. Please make sure you have added the Port Mirrored Domain Controller, and selected the Capture network adapter.



    Best regards,
    Andy Liu

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, January 24, 2017 6:58 AM
  • Hello Andy,

    Thank you for your reply and sorry for the late response.

    Unfortunately I am still facing the same problem, and the steps you sent are already done.
    I Have no idea what to do in order to resolve this issuse :(

    Regards,

    Elie

    Wednesday, February 8, 2017 6:50 AM
  • Hello Elie,

    Are the DCs and ATA Gateway in the same VLAN? 

    If the ATA Gateway is in a different VLAN from the DCs, you need to set the mode for the virtual adapter on ATA Gateway to trunk. The command for this is as below.

    Set-VMNetworkAdapterVlan -VMName Contoso_App2 -Trunk -AllowedVlanIdList 1-100 -NativeVlanId 10

    In addition, to get start with ATA quickly, you can deploy ATA Lightweight Gateway on DCs directly. ATA Lightweight Gateway can monitor the traffic directly without the need for a dedicated server or configuration of port mirroring. It is an alternative to the ATA Gateway.

    Best regards,
    Andy Liu

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, February 9, 2017 5:22 AM
  • Hello Andy,

    The ATA gateway and the DCs are both on the same VLAN.
    As for the Lightweight Gateway, I cannot use it in my environment since not all my DCs run on Windows Server 2012.

    Regards,

    Elie

    Friday, February 10, 2017 7:06 AM
  • Hello Elie,

    What's the OS version for Hyper-V host?

    Could you please verify the port mirroring using Net Mon? You can see the guide from the link below.

    https://docs.microsoft.com/en-us/advanced-threat-analytics/deploy-use/validate-port-mirroring

    The OS requirement for ATA Gateway is Windows Server 2012 R2 and Windows Server 2016. Please make sure you have installed the following KB if ATA Gateway is deployed on Windows Server 2012 R2.

    https://support.microsoft.com/kb/2919355/

    You can check by running the following Powershell cmdlet.

    Get-HotFix -Id kb2919355

    Best regards,

    Andy Liu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Friday, February 10, 2017 10:08 AM