NBAR issues?

NotCisco
Here to help

NBAR issues?

Good afternoon, 

I'm noticing that NBAR, specifically this is the technology that scans packets and classifies what application class its coming from, is falsely flagging traffic as "P2P. The easiest way I tested this was by creating a policy that allows peer-2-peer and so far, I'm having great success. 

 

I guess what I'm wanting to know is if anyone has had issues with enabling Detailed Traffic Analytics vs standard? It's really starting to impair some people's ability to get their work done, random application disconnects, application slowness, etc. I have no problem going back to traditional analytics until support figures this out. This also isn't the first time this issue has happened. 

Thanks

10 Replies 10
Make_IT_Simple
Meraki Alumni (Retired)
Meraki Alumni (Retired)

I think Meraki had  few issues with NBAR but I am not sure if it is related to your problem. If you think that NBAR is misclassifying your traffic and can be reproduced, it would be a good idea to let Meraki Support know about it and allow them to open a bug report if they don't have one yet. NBAR was introduced with firmware 16.+ so If you want to use the old system, you will need to downgrade your MX to 15.x.

Inderdeep
Kind of a big deal
Kind of a big deal

@NotCisco : NBAR recognize APPs is a global list which all vendors have, if it is not recognized a specific global app then it may possible the list is not updated on the vendor side(Meraki side). Open a Meraki support case.

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com
NotCisco
Here to help

Thanks for you input fellas. I have a case open with Meraki but they havent gotten back to me via email just yet. I tried calling in and was on hold for almost an hour. 

 

By disabling traffic analytics, would that stop NBAR or is it just on since 16.x?

Make_IT_Simple
Meraki Alumni (Retired)
Meraki Alumni (Retired)

Yes, Disabling traffic analytics should disable NBAR because it is a Prerequisite:

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Network-Based_Applica...

Jeizzen
Getting noticed

I've encountered this

 

Our customer was blocked to accessing their server

Traffic Analysis running on : 'basic:collect generic traffic categories'

 

Looking at Event logs, there was a 'Statistical P2P' NBAR rule blocking their server access

 

But, if you look in 'All P2P' layer7 Deny rules, 'Statistical P2P' doesn't exists

 

had to open a case, and Meraki answered that it was in fact related to the 'Encrypted P2P' rule

 

So I had to put a Deny on all of the P2P rules, except for Encrypted P2P

 

Because yeah, there is no 'Allow' option for layer 7 rules, which really has to be worked on by Meraki

NotCisco
Here to help

This! Beat me to it. I was just about to test individual rules but had no idea what sub-P2P category statistical would fall under. Thanks for the clarification! 

Make_IT_Simple
Meraki Alumni (Retired)
Meraki Alumni (Retired)

Traffic Analysis needs to be disabled if you don't want to use NBAR. if it is set to either basic or detailed, the MX will still use NBAR. That's a good idea to open a case with support, they have visibility on how the MX categorizes the traffic.

dade80vr
Getting noticed

Still having problems with Traffic analysis DISABLED and L7 "gaming" activated!

DNS requests are categorized as "XBOX LIVE" 🙄

It's urgent!
NBAR still blocking wrong services..NBAR still blocking wrong services.. 

dade80vr
Getting noticed

Something is changed in dashboard? NBAR events can no longer be selected

 

 

no NBAR.png

CW_KeithP
Conversationalist

Yeah we've had huge issues with NBAR, in particular misclassifying Unifi management packets and 3CX tunneled voice traffic, so it's prevented remote management of some distant sites Ubnt gear, and causing their phone calls to repeatedly reconnect when using iOS or Windows clients.

 

The solution was to manually update the L7 rules to exclude these false matches, but then 1) there maybe new false matches, 2) that's across dozens of sites we'd have to do this, and 3) then each month when new definitions are added we have to rinse and repeat.

 

The other option at one point, unsure if this works, but turning off advance traffic analytics or something disabled NBAR, however, a lot of our sites actually need this feature.

 

For now we're getting a pile of sites 'pinned' on MX15, and for others that are more critical eg local govt we are replacing the MX with FortiGate's which we've tested not to have this issue.

 

I hope that helps!

-KP

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels