Troubleshooting NBAR

Overview

This page explains symptoms experienced with the NBAR charts

Symptom 1. NBAR monitoring showing mainly Unknown Protocols

Cisco Bug CSCty56850

Symptoms: NBAR analysis shows only unknown protocols or just ftp + http
See the Cisco Bug Search website for more details (Cisco log in required)
The fix is to change the IOS version to avoid this bug.

Known affected IOS versions
15.1(3)T1
15.1(4)M
15.1(4)M1
15.1(4)M2
15.1(4)M3
15.1(4)M4
15.1(4)M5
15.2(2)T
15.2(3)T1
15.2(3)T

This issue will present in Highlight in the following way:

NBAR Traffic analysis with almost only Unknown protocol

Symptom 2. NBAR not showing as configured

This is related to setting up NBAR in Highlight. When testing for the interface in the Applications tab for the bearer if no interfaces are shown as "NBar enabled", possible causes for this are:

The router must have a licence which supports NBAR. You will need the "advipservices" or "data" licence, or alternatively the "appxk9" licence.
Use show license to check. Licence details are also available from Reporting inventory
Some firewall or security feature sets, especially on smaller devices, may not support NBAR or the NBAR mib.
NBAR is not configured on the device

Symptom 3. NBAR monitoring showing Inbound Only

A possible cause for this is:

The device being monitored has only one interface connected (e.g. a newly installed device) and traffic sourced from the router is not reported by NBAR.

Symptom 4. How to Identify Unknown Applications

Sometimes there will be applications which NBAR does not recognise. These applications will be labelled unknown in the display, but with appropriate configuration of the router better analysis can be achieved.

For details of how to do this refer to the section identifying unknown applications.