Ok, problem solved. The

AllertGen · ‎09-21-2016

Hello everyone.

I'm using a flexible netflow for analyzing connections for security matters. But I have a lot of false allarms because my device sends netflow data before the flow itself is end. So I tryed to tune cache parameters to store data at the router for more time before it sends data to my monitor device.

But every time when I'm trying to change cache parameters my router stops sending any netflow data. Here is my configuration of flexible netflow:

flow record REC_1G_in
 match ipv4 tos
 match ipv4 protocol
 match ipv4 source address
 match ipv4 destination address
 match transport source-port
 match transport destination-port
 match interface input snmp
 match flow sampler
 collect routing next-hop address ipv4
 collect flow direction
 collect ipv4 total-length maximum
 collect ipv4 option map
 collect transport icmp ipv4 type
 collect transport icmp ipv4 code
 collect transport tcp urgent-pointer
 collect transport tcp flags
 collect transport tcp maximum-segment-size
 collect transport tcp option map long
 collect interface output snmp
 collect counter bytes long
 collect counter packets
 collect timestamp sys-uptime first
 collect timestamp sys-uptime last
exit

flow record REC_1G_out
 match ipv4 tos
 match ipv4 protocol
 match ipv4 source address
 match ipv4 destination address
 match transport source-port
 match transport destination-port
 match interface output snmp
 match flow sampler
 collect routing next-hop address ipv4
 collect flow direction
 collect ipv4 total-length maximum
 collect ipv4 option map
 collect transport icmp ipv4 type
 collect transport icmp ipv4 code
 collect transport tcp urgent-pointer
 collect transport tcp flags
 collect transport tcp maximum-segment-size
 collect transport tcp option map long
 collect interface input snmp
 collect counter bytes long
 collect counter packets
 collect timestamp sys-uptime first
 collect timestamp sys-uptime last
exit
flow exporter flow
 destination XXX.XXX.XXX.XXX
 source GigabitEthernet0/0/0
 transport udp 9996
exit
flow monitor MON_1G_in
! If I am trying to uncomment any commented line bellow
! my device is stoping sending any netflow data
! cache timeout inactive 180
! cache timeout active 3600
! cache entries 500000
 statistics packet size
 exporter flow
 record REC_1G_in
exit
flow monitor MON_1G_out
! cache timeout inactive 180
! cache timeout active 3600
! cache entries 500000
 statistics packet size
 exporter flow
 record REC_1G_out
exit
interface GigabitEthernet0/0/1
 ip flow monitor MON_1G_in input
 ip flow monitor MON_1G_out output
exit

Output that there is no netflow data sending:

sh flow expor stat
Flow Exporter flow:
  Packet send statistics (last cleared 00:59:57 ago):
    Successfully sent:         2                     (200 bytes)

  Client send statistics:

    Client: Flow Monitor MON_1G_in
      Records added:           0
      Bytes added:             0

    Client: Flow Monitor MON_1G_out
      Records added:           0
      Bytes added:             0

And my second question is: most of my traffic is TCP connections. So is it possible to add matching rule at the flow record for TCP sessions (from Syn packet until Fin/Rst packet or timeout)?

AllertGen · ‎10-31-2016

Ok, problem solved. The problem was with DRAM memory. My ASR device has 256 Mb DRAM and 128 Mb of IRAM memory. In cache every row of flow takes 100 bytes of DRAM/IRAM memory (NetFlow is balancing usage memory at both places). So for 500k cached rows need 50 Mb of the memory. So my free memeory was anough only for 2 NetFlow monitors.

And I hoped that 4 Gb of RAM is anough for a lot of processes. But NetFlow doesn't use it :(

Changing cached entries to a smaller value hit the mark. But now I'm trying to find balance between number of entries, timeouts and memory usage.

But my main problem solved.

Problem with flexible NetFlow and flows cache