Cisco Netflow Export Question
Hello Experts,
We're having a problem getting our router to export Netflow information to our Solarwinds server.
The server ip addresses are 10.44.108.168 and 10.44.108.68.
We've tried everything we can imagine but we still can't get the router to export netflow data.
I wonder if you guys/girls can help?
I have attached our router configuration
Cheers
Carlton
We're having a problem getting our router to export Netflow information to our Solarwinds server.
The server ip addresses are 10.44.108.168 and 10.44.108.68.
We've tried everything we can imagine but we still can't get the router to export netflow data.
I wonder if you guys/girls can help?
I have attached our router configuration
Cheers
Carlton
ASKER
Jordan
There stated as:
ip flow-export destination 10.44.108.68 2055
ip flow-export destination 10.44.108.168 2055
There stated as:
ip flow-export destination 10.44.108.68 2055
ip flow-export destination 10.44.108.168 2055
I know I search the document for those. Must still be sleepy. I'll keep digging for ya though.
ASKER
Thanks Jordan
ASKER
Experts,
Can anyone else take a look at this?
Cheers
Can anyone else take a look at this?
Cheers
Did you add the appropriate flow commands on the interface that you are collecting netflow data from?
ip flow ingress - for ingress netflow collection
global configuration
ip flow-export version 5 - netflow version information
Can you route to the destination? can the destination route to the Router?
harbor235 ;}
ip flow ingress - for ingress netflow collection
global configuration
ip flow-export version 5 - netflow version information
Can you route to the destination? can the destination route to the Router?
harbor235 ;}
ASKER
Harbour,
Thanks for responding.
The attached configs show that I have added ip flow ingress on the interface.
Also the configs should also show that I have added ip flow-export version 5
Thanks for responding.
The attached configs show that I have added ip flow ingress on the interface.
Also the configs should also show that I have added ip flow-export version 5
ASKER
Harbor,
I can route to the server - the only information that won't be exported is Netflow data.
Regards
I can route to the server - the only information that won't be exported is Netflow data.
Regards
ASKER
Hello Experts,
For some reason the attached configs appear to have disappeared...
Reattached
13-29-33--IPC-MapleCross-10.44.1.txt
For some reason the attached configs appear to have disappeared...
Reattached
13-29-33--IPC-MapleCross-10.44.1.txt
Can you show the route table for this router, as well as the config and route table for the other router(s) connected via the Fa1/0 interface that you have OSPF running on?
ASKER
Jordan,
There is a route to 10.44.108.168 and 10.44.108.68 in the table....
There is a route to 10.44.108.168 and 10.44.108.68 in the table....
Verify your router is collecting netflow:
show ip cache flow
Verify your router is exporting flow data: (look for flows exported)
show ip flow export
If this all looks good than its your flow collector config, verify Solarwinds is listening on port 2055, then verify your Windows firewall allows traffic on udp port 2055
harbor235 ;-}
show ip cache flow
Verify your router is exporting flow data: (look for flows exported)
show ip flow export
If this all looks good than its your flow collector config, verify Solarwinds is listening on port 2055, then verify your Windows firewall allows traffic on udp port 2055
harbor235 ;-}
ASKER
Hi Harbor
IPC_MapleCross#show ip cache flow
IP packet size distribution (27660M total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.000 .399 .076 .050 .035 .017 .023 .013 .007 .005 .005 .005 .004 .002 .002
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.002 .002 .002 .016 .329 .000 .000 .000 .000 .000 .000
IP Flow Switching Cache, 4456704 bytes
16865 active, 48671 inactive, 1839326694 added
2294894995 ager polls, 0 flow alloc failures
Active flows timeout in 1 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 664200 bytes
16871 active, 15897 inactive, 1839322903 added, 1839322903 added to flow
0 alloc failures, 0 force free
2 chunks, 307 chunks added
last clearing of statistics never
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
TCP-Telnet 278071 0.0 81 152 5.2 30.3 14.2
TCP-FTP 13998 0.0 3 49 0.0 1.5 18.7
TCP-FTPD 2820 0.0 2043 942 1.3 10.8 16.3
TCP-WWW 45796670 10.6 24 357 263.5 3.0 15.1
TCP-SMTP 822288 0.1 76 1329 14.5 0.7 8.2
TCP-X 1499 0.0 22 705 0.0 0.3 2.7
TCP-BGP 332540 0.0 13 49 1.0 60.6 1.2
TCP-NNTP 1170 0.0 1 41 0.0 0.0 3.2
TCP-other 1255126070 292.2 16 624 4935.7 2.4 17.7
UDP-DNS 135874605 31.6 1 72 33.0 0.0 21.5
UDP-NTP 7366535 1.7 1 78 2.1 3.6 17.3
UDP-TFTP 1355 0.0 1 54 0.0 0.3 19.9
UDP-Frag 12082288 2.8 3 853 10.1 4.6 16.6
UDP-other 334213366 77.8 7 322 595.2 5.2 18.9
ICMP 26789346 6.2 3 86 23.5 1.8 17.9
GRE 20589717 4.7 115 328 554.2 34.8 8.9
IP-other 17491 0.0 36 171 0.1 11.5 18.7
Total: 1839309829 428.2 15 556 6440.0 3.1 18.1
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Fa1/0 10.50.98.31 Fa0/0.195 10.45.92.39 06 13C5 D6F8 6
Fa1/0 172.17.41.7 Fa0/0.195 10.45.94.68 06 1F90 D03E 3
Fa1/0 172.17.41.7 Fa0/0.195 10.45.94.68 06 1F90 D03D 3
Fa0/0.196 172.27.40.74 Fa1/1 10.50.83.11 06 C81F 0087 2
Fa1/0 10.44.108.253 Fa0/0.195 10.45.94.76 11 0035 DC7B 1
Fa1/0 172.17.41.8 Fa0/0.195 172.25.137.203 06 1F90 EA87 3
Fa1/0 10.44.108.253 Fa0/0.195 10.45.71.192 11 0035 C7FA 1
IPC_MapleCross#show ip flow export
Flow export v5 is enabled for main cache
Exporting flows to 10.44.108.68 (2055) 10.44.108.168 (2055)
Exporting using source interface FastEthernet1/0
Version 5 flow records
3074650507 flows exported in 102488727 udp datagrams
0 flows failed due to lack of export packet
102488726 export packets were sent up to process level
0 export packets were dropped due to no fib
0 export packets were dropped due to adjacency issues
0 export packets were dropped due to fragmentation failures
0 export packets were dropped due to encapsulation fixup failures
IPC_MapleCross#
Cheers
IPC_MapleCross#show ip cache flow
IP packet size distribution (27660M total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.000 .399 .076 .050 .035 .017 .023 .013 .007 .005 .005 .005 .004 .002 .002
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.002 .002 .002 .016 .329 .000 .000 .000 .000 .000 .000
IP Flow Switching Cache, 4456704 bytes
16865 active, 48671 inactive, 1839326694 added
2294894995 ager polls, 0 flow alloc failures
Active flows timeout in 1 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 664200 bytes
16871 active, 15897 inactive, 1839322903 added, 1839322903 added to flow
0 alloc failures, 0 force free
2 chunks, 307 chunks added
last clearing of statistics never
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
TCP-Telnet 278071 0.0 81 152 5.2 30.3 14.2
TCP-FTP 13998 0.0 3 49 0.0 1.5 18.7
TCP-FTPD 2820 0.0 2043 942 1.3 10.8 16.3
TCP-WWW 45796670 10.6 24 357 263.5 3.0 15.1
TCP-SMTP 822288 0.1 76 1329 14.5 0.7 8.2
TCP-X 1499 0.0 22 705 0.0 0.3 2.7
TCP-BGP 332540 0.0 13 49 1.0 60.6 1.2
TCP-NNTP 1170 0.0 1 41 0.0 0.0 3.2
TCP-other 1255126070 292.2 16 624 4935.7 2.4 17.7
UDP-DNS 135874605 31.6 1 72 33.0 0.0 21.5
UDP-NTP 7366535 1.7 1 78 2.1 3.6 17.3
UDP-TFTP 1355 0.0 1 54 0.0 0.3 19.9
UDP-Frag 12082288 2.8 3 853 10.1 4.6 16.6
UDP-other 334213366 77.8 7 322 595.2 5.2 18.9
ICMP 26789346 6.2 3 86 23.5 1.8 17.9
GRE 20589717 4.7 115 328 554.2 34.8 8.9
IP-other 17491 0.0 36 171 0.1 11.5 18.7
Total: 1839309829 428.2 15 556 6440.0 3.1 18.1
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Fa1/0 10.50.98.31 Fa0/0.195 10.45.92.39 06 13C5 D6F8 6
Fa1/0 172.17.41.7 Fa0/0.195 10.45.94.68 06 1F90 D03E 3
Fa1/0 172.17.41.7 Fa0/0.195 10.45.94.68 06 1F90 D03D 3
Fa0/0.196 172.27.40.74 Fa1/1 10.50.83.11 06 C81F 0087 2
Fa1/0 10.44.108.253 Fa0/0.195 10.45.94.76 11 0035 DC7B 1
Fa1/0 172.17.41.8 Fa0/0.195 172.25.137.203 06 1F90 EA87 3
Fa1/0 10.44.108.253 Fa0/0.195 10.45.71.192 11 0035 C7FA 1
IPC_MapleCross#show ip flow export
Flow export v5 is enabled for main cache
Exporting flows to 10.44.108.68 (2055) 10.44.108.168 (2055)
Exporting using source interface FastEthernet1/0
Version 5 flow records
3074650507 flows exported in 102488727 udp datagrams
0 flows failed due to lack of export packet
102488726 export packets were sent up to process level
0 export packets were dropped due to no fib
0 export packets were dropped due to adjacency issues
0 export packets were dropped due to fragmentation failures
0 export packets were dropped due to encapsulation fixup failures
IPC_MapleCross#
Cheers
Right, so the router is configured properly collecting netflow and exporting netflow records to
the flow collectors
from the above output - Exporting flows to 10.44.108.68 (2055) 10.44.108.168 (2055)
So now I would verify the Solarwinds configuration and your server that Solarwinds is installed on. The router is fine, like I stated earlier, the problem is likely the following now that we know its not the router:
1) Is the Soalrwinds Netflow module installed and running ?
2) Netflow is an add on software package and license pak, did you purchase
netflow?
3) Does the Windows firewall allow connections from 10.44.108.68 and
10.44.108.168 to udp port 2055 on the Solawinds box?
4) Is Solarwinds Netflow configured properly
5) To verify Netflow records are getting to the server install wireshark and
and capture packets destines to the Solarwinds server ip and udp port
2055
let me know what you find,
harbor235 ;}
the flow collectors
from the above output - Exporting flows to 10.44.108.68 (2055) 10.44.108.168 (2055)
So now I would verify the Solarwinds configuration and your server that Solarwinds is installed on. The router is fine, like I stated earlier, the problem is likely the following now that we know its not the router:
1) Is the Soalrwinds Netflow module installed and running ?
2) Netflow is an add on software package and license pak, did you purchase
netflow?
3) Does the Windows firewall allow connections from 10.44.108.68 and
10.44.108.168 to udp port 2055 on the Solawinds box?
4) Is Solarwinds Netflow configured properly
5) To verify Netflow records are getting to the server install wireshark and
and capture packets destines to the Solarwinds server ip and udp port
2055
let me know what you find,
harbor235 ;}
Also verify that your Solarwinds Netflow configuration is configured for Netflow version 5, that's the version you have configured.
harbor235 ;-}
harbor235 ;-}
ASKER
Harbor,
I'm going to check Solarwinds as you've suggested. However, we have a number of devices reporting netflow data to same Solarwinds server.
I'm going to check Solarwinds as you've suggested. However, we have a number of devices reporting netflow data to same Solarwinds server.
cpatte7372,
I understand however the router is reporting exporting data to the IPs"
Exporting flows to 10.44.108.68 (2055) 10.44.108.168 (2055) on udp port 2055
So its either the packets are not getting to the server which can be verified via Wireshark, the port is wrong, or the server is not configured properly.
How many devices do you have setup on SWs? there may be a limit?
harbor235 ;}
I understand however the router is reporting exporting data to the IPs"
Exporting flows to 10.44.108.68 (2055) 10.44.108.168 (2055) on udp port 2055
So its either the packets are not getting to the server which can be verified via Wireshark, the port is wrong, or the server is not configured properly.
How many devices do you have setup on SWs? there may be a limit?
harbor235 ;}
Also,
In your solarwinds netflow config, do you have the following enabled:
Enable automatic addition of NetFlow sources
Allow monitoring of flows from unmanaged interfaces.
If you do not then you will have to add that router manually as a valid source and as a manged device and managed interface
harbor235 ;}
In your solarwinds netflow config, do you have the following enabled:
Enable automatic addition of NetFlow sources
Allow monitoring of flows from unmanaged interfaces.
If you do not then you will have to add that router manually as a valid source and as a manged device and managed interface
harbor235 ;}
ASKER
Harbor,
Thanks again for responding.
To be honest I don't think the issue is with Solarwinds.
I think the problem is to do with udp flows being blocked via the vrf called SKANSKA.
Thanks again for responding.
To be honest I don't think the issue is with Solarwinds.
I think the problem is to do with udp flows being blocked via the vrf called SKANSKA.
lol, I have not looked at your config until now. So the netflow export is happening via VRF
SKANSKA. Netflow is using the inerface f1/0 as the source, with IP 10.44.113.5/26, this network does not have a network statement in your BGP config. So I assume the Solarwinds server is on an internal network?
I do not see 10.44.113.0/26 in your BGP-OSPF route-map so that network is also not being advertised into vrf SKANSKA via OSPF , and there are not statics for this network. Does not matter since this is udp and as long as we have a route to it we are fine.
what does the following display?
show ip route vrf SKANSKA 10.44.108.68
show ip route vrf SKANSKA 10.44.108.168
I also see this:
ip access-list extended vrf-SKANSKA-netflow
permit udp host 172.105.30.65 host 10.44.96.137 eq 9996
permit udp host 10.44.108.168 any
permit udp host 10.44.108.68 any
which is activated via
route-map vrf-SKANSKA-netflow permit 10
match ip address vrf-SKANSKA-netflow
set interface FastEthernet1/0
and this - ip local policy route-map vrf-SKANSKA-netflow
But, "ip local policy" is a command to police traffic generated by the router, not incoming.
http://www.cisco.com/en/US/docs/ios/12_2/iproute/command/reference/1rfindp1.html#wp1017871
Can you post the output of the following:
show access-list vrf-SKANSKA-netflow (looking for hits on the ACL)
Add the following lines to the config to see if it works:
ip access-list extended vrf-SKANSKA-netflow
permit udp host 172.105.30.65 host 10.44.96.137 eq 9996
permit udp host 10.44.108.168 any
permit udp host 10.44.108.68 any
permit udp any host 10.44.108.168
permit udp any host 10.44.108.68
harbor235 ;}
SKANSKA. Netflow is using the inerface f1/0 as the source, with IP 10.44.113.5/26, this network does not have a network statement in your BGP config. So I assume the Solarwinds server is on an internal network?
I do not see 10.44.113.0/26 in your BGP-OSPF route-map so that network is also not being advertised into vrf SKANSKA via OSPF , and there are not statics for this network. Does not matter since this is udp and as long as we have a route to it we are fine.
what does the following display?
show ip route vrf SKANSKA 10.44.108.68
show ip route vrf SKANSKA 10.44.108.168
I also see this:
ip access-list extended vrf-SKANSKA-netflow
permit udp host 172.105.30.65 host 10.44.96.137 eq 9996
permit udp host 10.44.108.168 any
permit udp host 10.44.108.68 any
which is activated via
route-map vrf-SKANSKA-netflow permit 10
match ip address vrf-SKANSKA-netflow
set interface FastEthernet1/0
and this - ip local policy route-map vrf-SKANSKA-netflow
But, "ip local policy" is a command to police traffic generated by the router, not incoming.
http://www.cisco.com/en/US/docs/ios/12_2/iproute/command/reference/1rfindp1.html#wp1017871
Can you post the output of the following:
show access-list vrf-SKANSKA-netflow (looking for hits on the ACL)
Add the following lines to the config to see if it works:
ip access-list extended vrf-SKANSKA-netflow
permit udp host 172.105.30.65 host 10.44.96.137 eq 9996
permit udp host 10.44.108.168 any
permit udp host 10.44.108.68 any
permit udp any host 10.44.108.168
permit udp any host 10.44.108.68
harbor235 ;}
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Harbor,
Thanks for your help. We have concluded tha the problem was the IOS version not allowing traffic to exported via vrf.
The minimum code requirement is 12.4. We're running 12.1
Regards
Thanks for your help. We have concluded tha the problem was the IOS version not allowing traffic to exported via vrf.
The minimum code requirement is 12.4. We're running 12.1
Regards
ASKER
Excellent effort
ip flow-export 10.44.108.168 2055
ip flow-export 10.44.108.68 2055
Adding these should help get flow information going to your workstations.