Meraki

Community

NBAR issues?

NotCisco
Here to help
‎Mar 17 2022 2:59 PM
‎Mar 17 2022 2:59 PM

NBAR issues?

Good afternoon, 

I'm noticing that NBAR, specifically this is the technology that scans packets and classifies what application class its coming from, is falsely flagging traffic as "P2P. The easiest way I tested this was by creating a policy that allows peer-2-peer and so far, I'm having great success. 

 

I guess what I'm wanting to know is if anyone has had issues with enabling Detailed Traffic Analytics vs standard? It's really starting to impair some people's ability to get their work done, random application disconnects, application slowness, etc. I have no problem going back to traditional analytics until support figures this out. This also isn't the first time this issue has happened. 

Thanks

0 Kudos
10 Replies 10
Make_IT_Simple
Meraki Alumni (Retired)
Meraki Alumni (Retired)
‎Mar 17 2022 3:12 PM
‎Mar 17 2022 3:12 PM

I think Meraki had  few issues with NBAR but I am not sure if it is related to your problem. If you think that NBAR is misclassifying your traffic and can be reproduced, it would be a good idea to let Meraki Support know about it and allow them to open a bug report if they don't have one yet. NBAR was introduced with firmware 16.+ so If you want to use the old system, you will need to downgrade your MX to 15.x.

0 Kudos
Inderdeep
Kind of a big deal
Kind of a big deal
‎Mar 17 2022 9:52 PM
‎Mar 17 2022 9:52 PM

@NotCisco : NBAR recognize APPs is a global list which all vendors have, if it is not recognized a specific global app then it may possible the list is not updated on the vendor side(Meraki side). Open a Meraki support case.

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com
NotCisco
Here to help
‎Mar 18 2022 7:47 AM
‎Mar 18 2022 7:47 AM

Thanks for you input fellas. I have a case open with Meraki but they havent gotten back to me via email just yet. I tried calling in and was on hold for almost an hour. 

 

By disabling traffic analytics, would that stop NBAR or is it just on since 16.x?

0 Kudos
Make_IT_Simple
Meraki Alumni (Retired)
Meraki Alumni (Retired)
‎Mar 18 2022 9:58 AM
‎Mar 18 2022 9:58 AM

Yes, Disabling traffic analytics should disable NBAR because it is a Prerequisite:

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Network-Based_Applica...

Jeizzen
Getting noticed
‎Mar 18 2022 11:43 AM
‎Mar 18 2022 11:43 AM

I've encountered this

 

Our customer was blocked to accessing their server

Traffic Analysis running on : 'basic:collect generic traffic categories'

 

Looking at Event logs, there was a 'Statistical P2P' NBAR rule blocking their server access

 

But, if you look in 'All P2P' layer7 Deny rules, 'Statistical P2P' doesn't exists

 

had to open a case, and Meraki answered that it was in fact related to the 'Encrypted P2P' rule

 

So I had to put a Deny on all of the P2P rules, except for Encrypted P2P

 

Because yeah, there is no 'Allow' option for layer 7 rules, which really has to be worked on by Meraki

0 Kudos
In response to Jeizzen
NotCisco
Here to help
‎Mar 18 2022 2:51 PM
‎Mar 18 2022 2:51 PM

This! Beat me to it. I was just about to test individual rules but had no idea what sub-P2P category statistical would fall under. Thanks for the clarification! 

0 Kudos
Make_IT_Simple
Meraki Alumni (Retired)
Meraki Alumni (Retired)
‎Mar 18 2022 11:53 AM
‎Mar 18 2022 11:53 AM

Traffic Analysis needs to be disabled if you don't want to use NBAR. if it is set to either basic or detailed, the MX will still use NBAR. That's a good idea to open a case with support, they have visibility on how the MX categorizes the traffic.

0 Kudos
dade80vr
Getting noticed
‎Mar 22 2022 12:35 AM
‎Mar 22 2022 12:35 AM

Still having problems with Traffic analysis DISABLED and L7 "gaming" activated!

DNS requests are categorized as "XBOX LIVE" 🙄

It's urgent!
NBAR still blocking wrong services..NBAR still blocking wrong services.. 

0 Kudos
dade80vr
Getting noticed
‎Apr 11 2022 11:19 PM
‎Apr 11 2022 11:19 PM

Something is changed in dashboard? NBAR events can no longer be selected

 

 

no NBAR.png

0 Kudos
CW_KeithP
Conversationalist
‎May 9 2022 1:47 AM
‎May 9 2022 1:47 AM

Yeah we've had huge issues with NBAR, in particular misclassifying Unifi management packets and 3CX tunneled voice traffic, so it's prevented remote management of some distant sites Ubnt gear, and causing their phone calls to repeatedly reconnect when using iOS or Windows clients.

 

The solution was to manually update the L7 rules to exclude these false matches, but then 1) there maybe new false matches, 2) that's across dozens of sites we'd have to do this, and 3) then each month when new definitions are added we have to rinse and repeat.

 

The other option at one point, unsure if this works, but turning off advance traffic analytics or something disabled NBAR, however, a lot of our sites actually need this feature.

 

For now we're getting a pile of sites 'pinned' on MX15, and for others that are more critical eg local govt we are replacing the MX with FortiGate's which we've tested not to have this issue.

 

I hope that helps!

-KP

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.