Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Netflow not working properly

Posted on 2010-08-19
22
Medium Priority
?
1,192 Views
Last Modified: 2012-05-10
We have a network with a number of remote sites all linked back to our HQ via site to site VPN's.

We wish to start monitoring the traffic is being used at each site with a view to a network upgrade.   We are using netflow to assist.

We have configured several of the renote routers now (all Cisco 877's) and they appear to be sending netflow when the commands "show ip flow export" and "show ip cache flow" are used.

The problem is the netflow only sends to server there when a router is re-booted, i.e the 877 reports it is sending netflow constantly, but the server will only receive once - that is as soon as the router starts up?

This would suggest the network is OK to receive Netflow, it seems as though the 877 is just not sending.

Can anyone help ?
0
Comment
Question by:stemc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 12
  • 10
22 Comments
 
LVL 14

Accepted Solution

by:
anoopkmr earned 500 total points
ID: 33475049
did u configure the netflow properly in 877 , I know you would have configured, just to double check

for eg ;

conf t
(config)#ip flow-export destination <netflow  monitor ip > 2048
(config)#ip flow-export source FastEthernet0/0
(config)#ip flow-export version 5
(config)#end

Verify you source-interface and destination ip/port and change accordingly. After that your router will export netflow-data to your collector/analyzer software


also did u enable it under interface
ip route-cahce flow
0
 

Author Comment

by:stemc
ID: 33475334
Thanks for the response anoopkmr.  The config is in place as above, we are trialling solar winds so the port  it uses is 2055.  

The frustrating thig is it does send the once as router boots up, then never again until next re-boot.

Thanks again
0
 
LVL 14

Assisted Solution

by:anoopkmr
anoopkmr earned 500 total points
ID: 33475400
can u try like this

Router(config)# ip cef
Router(config)# interface ethernet 1/0 .
Router(config-if)# ip flow ingress
0
Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

 

Author Comment

by:stemc
ID: 33475546
Cheers ... Just applied but stil no netflow coming through ...

Something that may shed some light.  On the 877's we are using Vlans and I have to apply my netflow config on the Vlans rather than FE ports , config is :

interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
 switchport access vlan 102
!
interface FastEthernet3
 switchport access vlan 192
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 ip address 10.218.80.1 255.255.255.128
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
interface Vlan101
 ip address 10.218.80.225 255.255.255.240
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
interface Vlan102
 ip address 10.218.80.241 255.255.255.240
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
interface Vlan192
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33475643


the above config showing int vlan with ip route-cache flow

can u change it to" ip flow ingress"

0
 

Author Comment

by:stemc
ID: 33476469
OK, jut to confirm on Vlans I have issued commands

no ip route-cache flow
ip flow ingress


Leaving conif like this :

interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.218.80.1 255.255.255.128
ip flow ingress
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
interface Vlan101
ip address 10.218.80.225 255.255.255.240
ip flow ingress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Vlan102
ip address 10.218.80.241 255.255.255.240
ip flow ingress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Vlan192
ip address 192.168.1.1 255.255.255.0
ip flow ingress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
 
-----------------
 
I'm still seeing no data come through to collection server ?

Thanks again
 
 
0
 
LVL 14

Assisted Solution

by:anoopkmr
anoopkmr earned 500 total points
ID: 33476600
can u just show me  after clear  the flows


clear ip flow stats
 
show ip cache flow
 
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33476609
can u able to rach the netflow monitor using the sorce IP of the flow
0
 

Author Comment

by:stemc
ID: 33479907
Hi anoopkmr, I have done the above sugestions, I captured the results in as log file for you to see (attached).  Thanks very much
netflow.txt
0
 
LVL 14

Assisted Solution

by:anoopkmr
anoopkmr earned 500 total points
ID: 33482418
ok packets displaying in the netflow cache.
can u give the out put of "show ip flow export "
also
0
 

Author Comment

by:stemc
ID: 33482782
Hi annopkmr, the log file is attached, thanks
sh-ip-fl-exp.txt
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33483428
18937 flows exported in 2856 udp datagrams

i can see flows are exporting ? is there anything blocking it from reaching the netflow monitor , any fw in  between
0
 

Author Comment

by:stemc
ID: 33483576
There is an ASA at head office that everthing has to pass through, I'm assuming this is all OK because when a router is first booted the flow is sent through to the server and then never agin until next re-boot.

I'm beginning to think it is a prob with the 877 series router ?
0
 
LVL 14

Assisted Solution

by:anoopkmr
anoopkmr earned 500 total points
ID: 33483909
before concluding that,
if possible  can  you place the netflow monitor server in vlan1 and see updates are comming or not ?
0
 

Author Comment

by:stemc
ID: 33484683
Not entirely sure what you mean by "place the netflow monitor server in vlan1".  The server is physically on a different site than the router.

If you mean to add some conif, please advise the config needed,

many thanks
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33485288
i mean physically move the server to vlan 1, I know it will be tough

otherwise try with a different IOS version
0
 

Author Comment

by:stemc
ID: 33485363
OK I see, I'll have a look at getting the software on a laptop and taken to site - leave it with me a few days, will let you know how it goes ....

Thanks again,

Ian
0
 

Author Comment

by:stemc
ID: 33532812
Hi anoopkmr,

We took the software to site and it worked, so ....

We investiigated the problem at network level and it is Netflow itself thats the problem. It can't be encapsulated over a VPN. To overcome this Cisco developed and updated a new version of Netflow this year, it's called Flexible Netflow.

0
 

Author Closing Comment

by:stemc
ID: 33532878
With all the guidance from annpkmr we eventually narrowed the problem down to get a solution
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33532896
ok thanks for the gr8 infirmation .  so your netflow monitor was in rmote area connected via VPN and after u brought the monitor server to local lan , problem solved . am i  right or not ?

0
 

Author Comment

by:stemc
ID: 33532944
Yes we have all our sites connected back to head office via IPSEC VPN, the Netflow server is at HQ and all the routers we want to monitor are at remote sites.   On your advice we took a laptop with the netflow capture to one of the remote sites and it worked when plugged in to the same switch as router.

Thanks again
0
 

Author Comment

by:stemc
ID: 33541769
The solution to this problem is having a flexible netflow configured. again i have the cisco guide lines. the problem now is some of the commands like flow monitor,flow record are not available. any guidence to configure flexible netflow will be appreciated
0

Featured Post

Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The use of stolen credentials is a hot commodity this year allowing threat actors to move laterally within the network in order to avoid breach detection.
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Suggested Courses

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question