QRadar: Flows are not detected by using VN-Tag

Troubleshooting

Problem

VN-Tags are an additional extension to VLAN tagging to identify virtual interfaces. While existing VLAN tags are supported by QFlow collectors when monitoring packet traffic, VN-Tags are currently not supported. QRadar QFlow collectors ignore and drop packets marked as VN-Tags.

Symptom

Packet data sent to span ports or taps that are being monitored by IBM QFlow collectors are not recognized and the packet data is simply dropped by QRadar.

Note: The packet data is still likely to show up properly in tcpdump.

Cause

The QRadar Qflow collectors are designed to process normal or VLAN tagged packet data. The VN-Tag adds additional information that is not expected, and thus, the packet data is not recognized or parsed by the QFlow collectors. This effectively causes the packet data to be dropped.

Resolving The Problem

The VN-Tag extension must be disabled on traffic sent to span ports or taps that are being monitored by IBM QFlow collectors.

Where do you find more information?

Related Information

Cisco vnTag explanation

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Flows","Platform":[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"7.1;7.2","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Tips

QRadar: Flows are not detected by using VN-Tag

Troubleshooting

Problem

Symptom

Cause

Resolving The Problem

Related Information

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?