Good afternoon,
I'm noticing that NBAR, specifically this is the technology that scans packets and classifies what application class its coming from, is falsely flagging traffic as "P2P. The easiest way I tested this was by creating a policy that allows peer-2-peer and so far, I'm having great success.
I guess what I'm wanting to know is if anyone has had issues with enabling Detailed Traffic Analytics vs standard? It's really starting to impair some people's ability to get their work done, random application disconnects, application slowness, etc. I have no problem going back to traditional analytics until support figures this out. This also isn't the first time this issue has happened.
Thanks
I think Meraki had few issues with NBAR but I am not sure if it is related to your problem. If you think that NBAR is misclassifying your traffic and can be reproduced, it would be a good idea to let Meraki Support know about it and allow them to open a bug report if they don't have one yet. NBAR was introduced with firmware 16.+ so If you want to use the old system, you will need to downgrade your MX to 15.x.
@NotCisco : NBAR recognize APPs is a global list which all vendors have, if it is not recognized a specific global app then it may possible the list is not updated on the vendor side(Meraki side). Open a Meraki support case.
Thanks for you input fellas. I have a case open with Meraki but they havent gotten back to me via email just yet. I tried calling in and was on hold for almost an hour.
By disabling traffic analytics, would that stop NBAR or is it just on since 16.x?
Yes, Disabling traffic analytics should disable NBAR because it is a Prerequisite:
I've encountered this
Our customer was blocked to accessing their server
Traffic Analysis running on : 'basic:collect generic traffic categories'
Looking at Event logs, there was a 'Statistical P2P' NBAR rule blocking their server access
But, if you look in 'All P2P' layer7 Deny rules, 'Statistical P2P' doesn't exists
had to open a case, and Meraki answered that it was in fact related to the 'Encrypted P2P' rule
So I had to put a Deny on all of the P2P rules, except for Encrypted P2P
Because yeah, there is no 'Allow' option for layer 7 rules, which really has to be worked on by Meraki
This! Beat me to it. I was just about to test individual rules but had no idea what sub-P2P category statistical would fall under. Thanks for the clarification!
Traffic Analysis needs to be disabled if you don't want to use NBAR. if it is set to either basic or detailed, the MX will still use NBAR. That's a good idea to open a case with support, they have visibility on how the MX categorizes the traffic.
Still having problems with Traffic analysis DISABLED and L7 "gaming" activated!
DNS requests are categorized as "XBOX LIVE" 🙄
It's urgent!
Something is changed in dashboard? NBAR events can no longer be selected
Yeah we've had huge issues with NBAR, in particular misclassifying Unifi management packets and 3CX tunneled voice traffic, so it's prevented remote management of some distant sites Ubnt gear, and causing their phone calls to repeatedly reconnect when using iOS or Windows clients.
The solution was to manually update the L7 rules to exclude these false matches, but then 1) there maybe new false matches, 2) that's across dozens of sites we'd have to do this, and 3) then each month when new definitions are added we have to rinse and repeat.
The other option at one point, unsure if this works, but turning off advance traffic analytics or something disabled NBAR, however, a lot of our sites actually need this feature.
For now we're getting a pile of sites 'pinned' on MX15, and for others that are more critical eg local govt we are replacing the MX with FortiGate's which we've tested not to have this issue.
I hope that helps!
-KP