Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3664
Views
0
Helpful
4
Replies

ISR 4451 not sending NetFlow data

Ruslan Moldaliev
Level 1
Level 1

‎08-03-2016 05:07 AM

hi folks,

I can't force this router to send NetFlow data.

things I configured:

1. custom records (or used netflow-original)

2. exporters with the destinations, sources and ports.

3. monitor with the exporters and sometimes options.

4. applied this monitor to the interface

I can see cache records about traffic but it doesn't send anything. I tried PI, PRTG, ManageEngine and even nfsen. Finally I managed to see statistics and saw next:

Flow Exporter PI-2.2:
 Packet send statistics (last cleared 2w3d ago):
 Successfully sent: 2760 (3785610 bytes)
 Reason not given: 684966 (943297544 bytes)

 Client send statistics:
 Client: Flow Monitor BGP-AS-INT
 Records added: 18851588
 - failed to send: 18851588
 Bytes added: 923727812
 - failed to send: 923727812

I've heard about ASR1k and their inability to use management interface but I have dedicated port-channel subinterface and VRF for it for separating management traffic. hope someone have some thoughts or advices.

thanks in advance!

Labels:
0 Helpful
4 Replies 4

Mark Malone
VIP Alumni
VIP Alumni

‎08-03-2016 05:18 AM

Hi

looks like it did send some data , this is my flex netflow works fine on 4331s you could try that if its still not working I would try a different ios-xe if your certain your not blocking the port somewhere its using

saying that we hit a bug as well and if your sourcing from a VRF it wont work unless your on higher than 15.5.(3)S3 it just wont export correctly

flow exporter xxxx
 destination x.x.x.x
 source GigabitEthernet0
 transport udp 9995
 export-protocol ipfix
 option interface-table
 option vrf-table
 option sampler-table
 option application-table
 option c3pl-class-table
 option c3pl-policy-table
 option application-attributes
!
!
flow monitor xxxxxx
 exporter xxxxx
 exporter xxxxx
 cache timeout inactive 10
 cache timeout active 60
 record xxxxxxxxx

 flow record xxxxx
 match flow direction
 match interface input
 match ipv4 destination address
 match ipv4 protocol
 match ipv4 source address
 match ipv4 tos
 match transport destination-port
 match transport source-port
 collect application name
 collect counter bytes
 collect counter packets
 collect flow sampler
 collect interface output
 collect ipv4 destination mask
 collect ipv4 dscp
 collect ipv4 id
 collect ipv4 source mask
 collect ipv4 source prefix
 collect routing destination as
 collect routing next-hop address ipv4
 collect routing source as
 collect timestamp sys-uptime first
 collect timestamp sys-uptime last
 collect transport tcp flags

Flow Exporter xxxxxxxxxxxx
  Packet send statistics (last cleared 3w5d ago):
    Successfully sent:         6540975               (7710281076 bytes)
    Reason not given:          12672                 (15605048 bytes)

!

0 Helpful

Ruslan Moldaliev
Level 1
Level 1
In response to Mark Malone

‎08-03-2016 06:15 AM

hi Mark,

thanks for your suggestion.

I somehow managed to solve my issue, I saw a thread about catalyst 6k and their issues, something pinged me and I decided decided to try one more thing:

was:

flow exporter prtg
 destination x.x.x.x
 source Port-channel1.y
 transport udp 9995

became:

flow exporter prtg
 destination x.x.x.x vrf mgmt
 source Port-channel1.y
 transport udp 9995

I was sure before that stating interface which is already in the VRF is enough to use VRF setting, but no it didn't work. I'm posting it to help others because I didn't find this little but important detail in the configuration guides neither examples for IOS-XE.

I have a little bit shorter record list for flows:

flow record PI-2.2
 match ipv4 tos
 match ipv4 protocol
 match ipv4 source address
 match ipv4 destination address
 match transport source-port
 match transport destination-port
 match interface input
 collect interface output
 collect flow direction
 collect timestamp sys-uptime last
 collect timestamp sys-uptime first
 collect counter bytes long
 collect counter packets long
 collect flow sampler
 collect transport tcp flags

and this brings another question: which traffic collector do you using? I'm seeing traffic at PRTG, ManageEngine, nfsen but not on Prime Infrastructure 2.2.

thanks in advance

0 Helpful

Mark Malone
VIP Alumni
VIP Alumni
In response to Ruslan Moldaliev

‎08-03-2016 06:19 AM

good stuff for posting the fix it will help someone

Im using LiveAction for our IWAN flows and global mapping of our netflow traffic and then I use Prime 3.1 to collect all Cisco device info and then CA NetQos for Cisco and non Cisco , we have some other collector intermapper as well but i rarely use it

0 Helpful

Ruslan Moldaliev
Level 1
Level 1
In response to Mark Malone

‎08-03-2016 06:34 AM

thanks for the information!

0 Helpful
Customers Also Viewed These Support Documents