DNAC – unable to provision Stealthwatch – NBAR is enabled

Had some issues with Cisco DNAC and Stealthwatch. After settings up Stealthwatch server and Netflow collector, some of SDA devices were not compatible with Stealthwatch. The reason was: “NBAR is enabled on this device“. In DNA center, NBAR and CBAR was actually disabled, but the problem stil persisted. CBAR and NBAR were previously enabled, but after disabling it, it did not clean all devices. Guess this is a “cleanup” bug in DNA center. Solution was to manually remove ip flow from affected devices.

DNA center version:

Screenshot of affected devices:

Solution: Clear ip flow from all interfaces on affected device, and resync device in DNA center.


conf t
int range gi1/0/1-48,Te1/1/1-4,Gi1/1/1-4
no ip flow monitor dnacmonitor input
no ip flow monitor dnacmonitor output

Go to DNA center, Inventory -> Select device -> Actions -> Inventory -> Resync device

Wait couple of minutes, and you should be able to enable Stealthwatch for this device.

Leave a Reply

Your email address will not be published. Required fields are marked *