Cisco Switch 3850, and problem with FlexFlow, date 1970-01-01

Nedeljko Scepanovic · ‎12-04-2014

Hi, as you can read in title, I have problem with Cisco Switch 3850, and Nagios NA (netflow) I try with nfdump, and I saw, bad date, and time, I do not know how to fix that, I try something, but, without any improving...:(

root@localhost 3850]# nfdump -r nfcapd.201412041035
Date first seen Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows
1970-01-01 01:00:00.000 0.000 UDP 10.145.192.18:123 -> 10.250.72.44:123 1 100 1
1970-01-01 01:00:00.000 0.000 TCP 10.193.1.230:80 -> 10.250.72.36:57205 1 50 1
1970-01-01 01:00:00.000 0.000 TCP 10.250.68.46:445 -> 10.250.72.31:52423 317 67461 1
1970-01-01 01:00:00.000 0.000 TCP 10.145.192.19:445 -> 10.250.72.71:59686 9 1835 1
1970-01-01 01:00:00.000 0.000 TCP 10.x.x.x:5061 -> 10.250.72.33:63912 3 548 1
1970-01-01 01:00:00.000 0.000 TCP 173.xxx.xxx.65:80 -> 10.250.72.41:62692 6 330 1

I try this, ....grrr

https://supportforums.cisco.com/document/24156/router-log-timestamp-entries-are-different-system-clock-when-ntp-configure

Any help?

This is configuration, from switch 3580

flow record NAGIOS
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
collect interface output
collect counter bytes long
collect counter packets long
collect timestamp absolute first
collect timestamp absolute last
!
flow exporter NAGIOS
destination 10.250.72.111
source Vlan 68
transport udp 9996
template data timeout 60
!
flow monitor NAGIOS
exporter NAGIOS
cache timeout active 60
record NAGIOS
vlan configuration 68
ip flow monitor NAGIOS input

CCNA R&S, CCNA Security

Marvin Rhoads · ‎12-04-2014

Can you check on the switch to see what it thinks the timestamps are?

For example:

show flow monitor NAGIOS cache sort highest counter packets

Nedeljko Scepanovic · ‎12-05-2014

This is output....

3850_P1_ZA#show flow monitor NAGIOS cache sort highest counter packets l
3850_P1_ZA#show flow monitor NAGIOS cache sort highest counter packets long
Processed 8442 flows
Aggregated to 8442 flows
Showing the top 20 flows

IPV4 SOURCE ADDRESS: 10.216.0.7
IPV4 DESTINATION ADDRESS: 10.250.72.87
TRNS SOURCE PORT: 8080
TRNS DESTINATION PORT: 51919
INTERFACE INPUT: Gi1/0/14
IP TOS: 0x30
IP PROTOCOL: 6
interface output: LIIN0
counter bytes long: 14785874
counter packets long: 9832
timestamp abs first: 06:52:38.828
timestamp abs last: 06:53:07.828

IPV4 SOURCE ADDRESS: 69.64.57.45
IPV4 DESTINATION ADDRESS: 10.250.72.38
TRNS SOURCE PORT: 80
TRNS DESTINATION PORT: 51791
INTERFACE INPUT: Gi1/0/14
IP TOS: 0x48
IP PROTOCOL: 6
interface output: LIIN0
counter bytes long: 10765150
counter packets long: 7159
timestamp abs first: 06:31:29.828
timestamp abs last: 06:32:24.828

CCNA R&S, CCNA Security

Marvin Rhoads · ‎12-05-2014

Does your switch have a valid ntp association and date setting?

show ntp assoc

show clock

Nedeljko Scepanovic · ‎12-05-2014

Everything looks nice....

3850_P1_ZA#show ntp associations

address ref clock st when poll reach delay offset disp
~10.145.192.14 .INIT. 16 - 1024 0 0.000 0.000 15937.
* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured

3850_P1_ZA#show clock
*23:48:40.936 CET Fri Dec 5 2014
3850_P1_

CCNA R&S, CCNA Security

Marvin Rhoads · ‎12-05-2014

Actually your NTP is configured but not synced. The tilde (~) indicates that.

Also, the asterisk before your clock time is another indicator that the time is not NTP-synced.

Nedeljko Scepanovic · ‎12-05-2014

What I can to do ? I found some problems, they do not have connection whit this problem, I will fix in monday, I will look in doc about NTP, is this maybe source of my problem with nagios ?

CCNA R&S, CCNA Security

Marvin Rhoads · ‎12-05-2014

It may very well be although I am not certain.

It would seem to make sense since your flow record is looking to get definitive time (since the Unix epoch) but your switch does not have a synchronized clock.

Nedeljko Scepanovic · ‎12-05-2014

Time form sh clock and etc is right....This photo is from switch, I used Wireshark, and that time, was right.... :)

CCNA R&S, CCNA Security

Marvin Rhoads · ‎12-05-2014

So the packets seen leaving the switch have a correct accurate timestamp (albeit perhaps not NTP-synced).

That would tell me that the issue is at the Nagios end not correctly parsing that information out of the received packets.

Nedeljko Scepanovic · ‎12-07-2014

I found wrong time with another program, nfdump.... I think, cisco switch 3850 has some problem with compatibility....cisco and nagios,nfdump

root@localhost 3850]# nfdump -r nfcapd.201412041035
Date first seen Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows
1970-01-01 01:00:00.000 0.000 UDP 10.145.192.18:123 -> 10.250.72.44:123 1 100 1
1970-01-01 01:00:00.000 0.000 TCP 10.193.1.230:80 -> 10.250.72.36:57205 1 50 1
1970-01-01 01:00:00.000 0.000 TCP 10.250.68.46:445 -> 10.250.72.31:52423 317 67461 1
1970-01-01 01:00:00.000 0.000 TCP 10.145.192.19:445 -> 10.250.72.71:59686 9 1835 1
1970-01-01 01:00:00.000 0.000 TCP 10.x.x.x:5061 -> 10.250.72.33:63912 3 548 1
1970-01-01 01:00:00.000 0.000 TCP 173.xxx.xxx.65:80 -> 10.250.72.41:62692 6 330 1

CCNA R&S, CCNA Security

GIANRICO FICHERA · ‎01-23-2023

I had a similar problem with a cisco ASR1000. In my case the problem was in the nfdump reader which was not reading the files correctly. I noticed this because I had an output like this:

Skip nsel extension: '20' - nsel options not compiled
Skip nsel extension: '22' - nsel options not compiled
Skip nsel extension: '25' - nsel options not compiled
1970-01-01 01:00:00.000 00:00:00.000 UDP 100.64.136.89:50380 -> 0.0.0.0:0 0 0 1

To fix this I recompiled nfdump adding nsel support.

./configure --enable-nfprofile --enable-nftrack --enable-nel

So you may have the correct data in the files. It could be nfdump failing to read them properly.

Gianrico Fichera