Solved

Netflow not working properly

Posted on 2010-08-19
22
1,172 Views
Last Modified: 2012-05-10
We have a network with a number of remote sites all linked back to our HQ via site to site VPN's.

We wish to start monitoring the traffic is being used at each site with a view to a network upgrade.   We are using netflow to assist.

We have configured several of the renote routers now (all Cisco 877's) and they appear to be sending netflow when the commands "show ip flow export" and "show ip cache flow" are used.

The problem is the netflow only sends to server there when a router is re-booted, i.e the 877 reports it is sending netflow constantly, but the server will only receive once - that is as soon as the router starts up?

This would suggest the network is OK to receive Netflow, it seems as though the 877 is just not sending.

Can anyone help ?
0
Comment
Question by:stemc
  • 12
  • 10
22 Comments
 
LVL 14

Accepted Solution

by:
anoopkmr earned 250 total points
ID: 33475049
did u configure the netflow properly in 877 , I know you would have configured, just to double check

for eg ;

conf t
(config)#ip flow-export destination <netflow  monitor ip > 2048
(config)#ip flow-export source FastEthernet0/0
(config)#ip flow-export version 5
(config)#end

Verify you source-interface and destination ip/port and change accordingly. After that your router will export netflow-data to your collector/analyzer software


also did u enable it under interface
ip route-cahce flow
0
 

Author Comment

by:stemc
ID: 33475334
Thanks for the response anoopkmr.  The config is in place as above, we are trialling solar winds so the port  it uses is 2055.  

The frustrating thig is it does send the once as router boots up, then never again until next re-boot.

Thanks again
0
 
LVL 14

Assisted Solution

by:anoopkmr
anoopkmr earned 250 total points
ID: 33475400
can u try like this

Router(config)# ip cef
Router(config)# interface ethernet 1/0 .
Router(config-if)# ip flow ingress
0
 

Author Comment

by:stemc
ID: 33475546
Cheers ... Just applied but stil no netflow coming through ...

Something that may shed some light.  On the 877's we are using Vlans and I have to apply my netflow config on the Vlans rather than FE ports , config is :

interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
 switchport access vlan 102
!
interface FastEthernet3
 switchport access vlan 192
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 ip address 10.218.80.1 255.255.255.128
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
interface Vlan101
 ip address 10.218.80.225 255.255.255.240
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
interface Vlan102
 ip address 10.218.80.241 255.255.255.240
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
interface Vlan192
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33475643


the above config showing int vlan with ip route-cache flow

can u change it to" ip flow ingress"

0
 

Author Comment

by:stemc
ID: 33476469
OK, jut to confirm on Vlans I have issued commands

no ip route-cache flow
ip flow ingress


Leaving conif like this :

interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.218.80.1 255.255.255.128
ip flow ingress
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
interface Vlan101
ip address 10.218.80.225 255.255.255.240
ip flow ingress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Vlan102
ip address 10.218.80.241 255.255.255.240
ip flow ingress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Vlan192
ip address 192.168.1.1 255.255.255.0
ip flow ingress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
 
-----------------
 
I'm still seeing no data come through to collection server ?

Thanks again
 
 
0
 
LVL 14

Assisted Solution

by:anoopkmr
anoopkmr earned 250 total points
ID: 33476600
can u just show me  after clear  the flows


clear ip flow stats
 
show ip cache flow
 
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33476609
can u able to rach the netflow monitor using the sorce IP of the flow
0
 

Author Comment

by:stemc
ID: 33479907
Hi anoopkmr, I have done the above sugestions, I captured the results in as log file for you to see (attached).  Thanks very much
netflow.txt
0
 
LVL 14

Assisted Solution

by:anoopkmr
anoopkmr earned 250 total points
ID: 33482418
ok packets displaying in the netflow cache.
can u give the out put of "show ip flow export "
also
0
 

Author Comment

by:stemc
ID: 33482782
Hi annopkmr, the log file is attached, thanks
sh-ip-fl-exp.txt
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 14

Expert Comment

by:anoopkmr
ID: 33483428
18937 flows exported in 2856 udp datagrams

i can see flows are exporting ? is there anything blocking it from reaching the netflow monitor , any fw in  between
0
 

Author Comment

by:stemc
ID: 33483576
There is an ASA at head office that everthing has to pass through, I'm assuming this is all OK because when a router is first booted the flow is sent through to the server and then never agin until next re-boot.

I'm beginning to think it is a prob with the 877 series router ?
0
 
LVL 14

Assisted Solution

by:anoopkmr
anoopkmr earned 250 total points
ID: 33483909
before concluding that,
if possible  can  you place the netflow monitor server in vlan1 and see updates are comming or not ?
0
 

Author Comment

by:stemc
ID: 33484683
Not entirely sure what you mean by "place the netflow monitor server in vlan1".  The server is physically on a different site than the router.

If you mean to add some conif, please advise the config needed,

many thanks
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33485288
i mean physically move the server to vlan 1, I know it will be tough

otherwise try with a different IOS version
0
 

Author Comment

by:stemc
ID: 33485363
OK I see, I'll have a look at getting the software on a laptop and taken to site - leave it with me a few days, will let you know how it goes ....

Thanks again,

Ian
0
 

Author Comment

by:stemc
ID: 33532812
Hi anoopkmr,

We took the software to site and it worked, so ....

We investiigated the problem at network level and it is Netflow itself thats the problem. It can't be encapsulated over a VPN. To overcome this Cisco developed and updated a new version of Netflow this year, it's called Flexible Netflow.

0
 

Author Closing Comment

by:stemc
ID: 33532878
With all the guidance from annpkmr we eventually narrowed the problem down to get a solution
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33532896
ok thanks for the gr8 infirmation .  so your netflow monitor was in rmote area connected via VPN and after u brought the monitor server to local lan , problem solved . am i  right or not ?

0
 

Author Comment

by:stemc
ID: 33532944
Yes we have all our sites connected back to head office via IPSEC VPN, the Netflow server is at HQ and all the routers we want to monitor are at remote sites.   On your advice we took a laptop with the netflow capture to one of the remote sites and it worked when plugged in to the same switch as router.

Thanks again
0
 

Author Comment

by:stemc
ID: 33541769
The solution to this problem is having a flexible netflow configured. again i have the cisco guide lines. the problem now is some of the commands like flow monitor,flow record are not available. any guidence to configure flexible netflow will be appreciated
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Is your computer hacked? learn how to detect and delete malware in your PC
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now