Netflows (v9) missing

fbauhaus · ‎12-14-2010

I am running a Catalyst 6504 with sup32 and pfc3b/msfc2a on native IOS 12.2(33)SXI5.

I'm trying to export all netflows as v9 since I have to depend on netflow for IPv6 too.

As collector I'm running nfcapd version 1.6.1.

My problem is that I have some flows that don't show up in the nfcaps but which I can see on the 6504.

core1#sh ip cache flow | incl 22B8
Vl3000 **.***.141.20 Vl3001 **.**.25.7 06 22B8 9402 15K
Vl3000 **.***.141.20 Vl3001 **.**.25.7 06 22B8 D570 20K

These are the two flows I am looking for.

When I look at what got captured there is no trace of these flows.

fbauhaus@sirius:/home/nfdump/nfcap/2010/12/14$ nfdump -r nfcapd.201012141251 -o extended 'host **.**.25.7'

Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Flags Tos Packets Bytes pps bps Bpp Flows

2010-12-14 12:52:18.876 0.000 TCP **.**.25.7:22 -> **.***.141.20:34456 .AP... 16 1 116 0 0 116 1

2010-12-14 12:52:23.812 0.000 TCP **.**.25.7:39566 -> **.***.141.20:80 ....S. 0 1 60 0 0 60 1

Summary: total flows: 3, total bytes: 292, total packets: 3, avg bps: 473, avg pps: 0, avg bpp: 97

Time window: 2010-12-14 12:52:18 - 2010-12-14 12:52:23

Total flows processed: 326, Blocks skipped: 0, Bytes read: 16980

Sys: 0.000s flows/second: 0.0 Wall: 0.000s flows/second: 516640.3

(I took only this one capture file as example, but it doesn't show up in any other file too.)

Here are the associated parts of the configuration:

ip flow ingress layer2-switched vlan 1,3000-3001
mls netflow interface
mls flow ip interface-full

mls flow ipv6 full

!

interface Vlan1

ip address ***.***.71.26 255.255.255.248

ip access-group 100 in

ip access-group 100 out

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ipv6 address ****:****:****:****::/64 eui-64

ipv6 nd ra suppress

!

interface Vlan3000

ip address **.**.24.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ipv6 address ****:****:****:****::/64 eui-64

ipv6 nd ra suppress

!

interface Vlan3001

ip address **.**.25.1 255.255.255.192

ip flow ingress

ipv6 address ****:****:****:****::/64 eui-64

!

ip route **.***.141.0 255.255.255.128 **.**.24.6
!

ip flow-export source Vlan3001
ip flow-export version 9 origin-as bgp-nexthop
ip flow-export destination **.**.25.7 9995

Maybe anyone got an idea what I am missing here.

Best regards

Florian

yjdabear · ‎12-14-2010

Perhaps because these flows are active, so they're not due to be exported until they're torn down or the flow export timer expires. If that's the case, you could configure:

ip flow-cache timeout [active minutes | inactive seconds]

to force the flow to be exported.

Here's a good explanation, in which it mentions the default flow-cache timer is 30 mins (though I thought it's 15 mins).

http://www.plixer.com/blog/network-problem-resolution/ip-flow-cache-active-timeout-are-you-using-it/

fbauhaus · ‎12-15-2010

I'm sorry, I forgot to mention that I took the example from the 6504 while they where active but they neither appear in my caps even after the flow is not active anymore. And I even got 'ip flow-cache timeout 1' in my config and just forgot to post it here.

But thank you for your reply.