Finding Traffic not caught by a Virtual Circuit

Summary

In the occurrence that virtual circuits are not defined by 'Inbound' and 'Outbound' for all hosts, it is possible that there will be traffic not caught by any virtual circuit, displaying a warning on the dashboard.

Overview

While it is more often seen that a virtual circuit's policies are not catching some traffic in the virtual circuit (and thus going into the 'auto catch-all' policy), there is also the possibility for that to happen for the virtual circuits themselves, displaying a message on the dashboard that there has been some traffic that has not been captured by a VC and has fallen into the 'Auto Catch All Virtual Circuit'.

Cause

This can happen when virtual circuits are not defined to be in the 'in' and 'out' direction for all traffic. For example, if Virtual Circuits are defined for specific network objects, allowing for traffic that is on the network that doesn't belong to a defined object to fall into the circuit but not into any of the defined virtual circuits.

Workaround

Create a Virtual Circuit with the lowest priority and have it capture all traffic. This is done through Configuration > Optimizer.

• Click on 'Create New Virtual Circuit'
• Give it a VC Number that is higher than any currently existing virtual circuit
• Give it a bandwidth and other specifications that agree with your environment.
• Under 'Filter Objects':
  • set "VLAN' to ALL
  • don't set anything for Network Object
  • set 'Application' to ALL
  • set 'Direction' to both
• Create the new virtual circuit.

Resolution

If concerned about the type of traffic, it can be determined this is the case by looking at Real Time Monitoring and enabling the 'Show Policies' button. Any traffic that is currently falling into the 'Auto Catch All' virtual circuit will be displayed as "Auto Catch All: Auto-Catch All". If there is currently no traffic going into the auto catch all virtual circuit, there is information in the monitoring section for historical data by looking at hosts, applications (Monitoring > Hosts, Monitoring > Applications), or whatever the virtual circuit is defined by, in order to find the traffic that is not matching any virtual circuits.

Once the traffic has been identified, creating a virtual circuit to specifically catch this traffic (or amending your currently existing virtual circuits) will stop this warning.