Solved

Netflow not working properly

Posted on 2010-08-19
22
1,190 Views
Last Modified: 2012-05-10
We have a network with a number of remote sites all linked back to our HQ via site to site VPN's.

We wish to start monitoring the traffic is being used at each site with a view to a network upgrade.   We are using netflow to assist.

We have configured several of the renote routers now (all Cisco 877's) and they appear to be sending netflow when the commands "show ip flow export" and "show ip cache flow" are used.

The problem is the netflow only sends to server there when a router is re-booted, i.e the 877 reports it is sending netflow constantly, but the server will only receive once - that is as soon as the router starts up?

This would suggest the network is OK to receive Netflow, it seems as though the 877 is just not sending.

Can anyone help ?
0
Comment
Question by:stemc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 12
  • 10
22 Comments
 
LVL 14

Accepted Solution

by:
anoopkmr earned 250 total points
ID: 33475049
did u configure the netflow properly in 877 , I know you would have configured, just to double check

for eg ;

conf t
(config)#ip flow-export destination <netflow  monitor ip > 2048
(config)#ip flow-export source FastEthernet0/0
(config)#ip flow-export version 5
(config)#end

Verify you source-interface and destination ip/port and change accordingly. After that your router will export netflow-data to your collector/analyzer software


also did u enable it under interface
ip route-cahce flow
0
 

Author Comment

by:stemc
ID: 33475334
Thanks for the response anoopkmr.  The config is in place as above, we are trialling solar winds so the port  it uses is 2055.  

The frustrating thig is it does send the once as router boots up, then never again until next re-boot.

Thanks again
0
 
LVL 14

Assisted Solution

by:anoopkmr
anoopkmr earned 250 total points
ID: 33475400
can u try like this

Router(config)# ip cef
Router(config)# interface ethernet 1/0 .
Router(config-if)# ip flow ingress
0
SharePoint Admin?

Enable Your Employees To Focus On The Core With Intuitive Onscreen Guidance That is With You At The Moment of Need.

 

Author Comment

by:stemc
ID: 33475546
Cheers ... Just applied but stil no netflow coming through ...

Something that may shed some light.  On the 877's we are using Vlans and I have to apply my netflow config on the Vlans rather than FE ports , config is :

interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
 switchport access vlan 102
!
interface FastEthernet3
 switchport access vlan 192
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 ip address 10.218.80.1 255.255.255.128
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
interface Vlan101
 ip address 10.218.80.225 255.255.255.240
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
interface Vlan102
 ip address 10.218.80.241 255.255.255.240
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
interface Vlan192
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33475643


the above config showing int vlan with ip route-cache flow

can u change it to" ip flow ingress"

0
 

Author Comment

by:stemc
ID: 33476469
OK, jut to confirm on Vlans I have issued commands

no ip route-cache flow
ip flow ingress


Leaving conif like this :

interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.218.80.1 255.255.255.128
ip flow ingress
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
interface Vlan101
ip address 10.218.80.225 255.255.255.240
ip flow ingress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Vlan102
ip address 10.218.80.241 255.255.255.240
ip flow ingress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Vlan192
ip address 192.168.1.1 255.255.255.0
ip flow ingress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
 
-----------------
 
I'm still seeing no data come through to collection server ?

Thanks again
 
 
0
 
LVL 14

Assisted Solution

by:anoopkmr
anoopkmr earned 250 total points
ID: 33476600
can u just show me  after clear  the flows


clear ip flow stats
 
show ip cache flow
 
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33476609
can u able to rach the netflow monitor using the sorce IP of the flow
0
 

Author Comment

by:stemc
ID: 33479907
Hi anoopkmr, I have done the above sugestions, I captured the results in as log file for you to see (attached).  Thanks very much
netflow.txt
0
 
LVL 14

Assisted Solution

by:anoopkmr
anoopkmr earned 250 total points
ID: 33482418
ok packets displaying in the netflow cache.
can u give the out put of "show ip flow export "
also
0
 

Author Comment

by:stemc
ID: 33482782
Hi annopkmr, the log file is attached, thanks
sh-ip-fl-exp.txt
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33483428
18937 flows exported in 2856 udp datagrams

i can see flows are exporting ? is there anything blocking it from reaching the netflow monitor , any fw in  between
0
 

Author Comment

by:stemc
ID: 33483576
There is an ASA at head office that everthing has to pass through, I'm assuming this is all OK because when a router is first booted the flow is sent through to the server and then never agin until next re-boot.

I'm beginning to think it is a prob with the 877 series router ?
0
 
LVL 14

Assisted Solution

by:anoopkmr
anoopkmr earned 250 total points
ID: 33483909
before concluding that,
if possible  can  you place the netflow monitor server in vlan1 and see updates are comming or not ?
0
 

Author Comment

by:stemc
ID: 33484683
Not entirely sure what you mean by "place the netflow monitor server in vlan1".  The server is physically on a different site than the router.

If you mean to add some conif, please advise the config needed,

many thanks
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33485288
i mean physically move the server to vlan 1, I know it will be tough

otherwise try with a different IOS version
0
 

Author Comment

by:stemc
ID: 33485363
OK I see, I'll have a look at getting the software on a laptop and taken to site - leave it with me a few days, will let you know how it goes ....

Thanks again,

Ian
0
 

Author Comment

by:stemc
ID: 33532812
Hi anoopkmr,

We took the software to site and it worked, so ....

We investiigated the problem at network level and it is Netflow itself thats the problem. It can't be encapsulated over a VPN. To overcome this Cisco developed and updated a new version of Netflow this year, it's called Flexible Netflow.

0
 

Author Closing Comment

by:stemc
ID: 33532878
With all the guidance from annpkmr we eventually narrowed the problem down to get a solution
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33532896
ok thanks for the gr8 infirmation .  so your netflow monitor was in rmote area connected via VPN and after u brought the monitor server to local lan , problem solved . am i  right or not ?

0
 

Author Comment

by:stemc
ID: 33532944
Yes we have all our sites connected back to head office via IPSEC VPN, the Netflow server is at HQ and all the routers we want to monitor are at remote sites.   On your advice we took a laptop with the netflow capture to one of the remote sites and it worked when plugged in to the same switch as router.

Thanks again
0
 

Author Comment

by:stemc
ID: 33541769
The solution to this problem is having a flexible netflow configured. again i have the cisco guide lines. the problem now is some of the commands like flow monitor,flow record are not available. any guidence to configure flexible netflow will be appreciated
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Suggested Courses
Course of the Month6 days, left to enroll

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question