Troubleshooting Netflow Collector 5.0.2-3 Installation on Red Hat

bgriffis · ‎11-20-2006

I have a Red Hat Enterprise Linux server, and am trying to trouble-shoot the Netflow Collector installation.

I created an nfcuser userid. Logged in, su'd to root and installed Netflow Collector. I ftp'ed the software to the server, and installed, using ./NFC_Setup.sh to install.

I logged in as root and did a tcpdump to verify we are receiving packets:

[root@itgcursnetflow sbin]# tcpdump -i eth0 host 167.64.254.1

tcpdump: listening on eth0

16:01:07.594163 netflowrouter.somewhere.com.51351 > netflowcollector.somewhere.com.9996: udp 1464

16:01:07.594172 netflowcollector.somewhere.com > netflowrouter.somewhere.com: icmp: host netflowcollector.somewhere.com unreachable - admin prohibited [tos 0xc0]

16:01:07.594619 netflowrouter.somewhere.com.51351 > netflowcollector.somewhere.com.9996: udp 1464

16:01:07.975413 netflowrouter.somewhere.com.51346 > netflowcollector.somewhere.com.9996: udp 1464

16:01:07.975782 netflowrouter.somewhere.com.51346 > netflowcollector.somewhere.com.9996: udp 1464

16:01:07.976070 netflowrouter.somewhere.com.51346 > netflowcollector.somewhere.com.9996: udp 1464

16:01:07.976194 netflowrouter.somewhere.com.51346 > netflowcollector.somewhere.com.9996: udp 1464

16:01:07.976315 netflowrouter.somewhere.com.51346 > netflowcollector.somewhere.com.9996: udp 1464

16:01:07.976437 netflowrouter.somewhere.com.51346 > netflowcollector.somewhere.com.9996: udp 1464

16:01:08.594227 netflowrouter.somewhere.com.51351 > netflowcollector.somewhere.com.9996: udp 1464

16:01:08.594236 netflowcollector.somewhere.com > netflowrouter.somewhere.com: icmp: host netflowcollector.somewhere.com unreachable - admin prohibited [tos 0xc0]

16:01:08.594416 netflowrouter.somewhere.com.51351 > netflowcollector.somewhere.com.9996: udp 1464

I verified the router is sending flows:

sh ip cache verbose flow

IP packet size distribution (35519M total packets):

1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480

.000 .290 .096 .259 .049 .065 .010 .011 .006 .005 .008 .004 .003 .003 .003

512 544 576 1024 1536 2048 2560 3072 3584 4096 4608

.002 .003 .014 .025 .135 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 4456704 bytes

2427 active, 63109 inactive, 1379904888 added

430600528 ager polls, 0 flow alloc failures

Active flows timeout in 30 minutes

Inactive flows timeout in 15 seconds

last clearing of statistics never

Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)

-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow

TCP-Telnet 72552525 16.8 8 204 150.9 7.5 14.6

TCP-FTP 5478850 1.2 14 63 18.7 5.5 7.3

TCP-FTPD 4728316 1.1 96 695 105.9 4.5 2.3

TCP-WWW 103540288 24.1 17 252 428.7 2.7 4.3

TCP-SMTP 3268737 0.7 47 905 35.8 3.4 5.0

When I go to /tools directory and do a ./fdeget -p 9996, it listens for hours and I see absolutely no flows, nothing coming in on port 9996 (I shut down the collector first, then did the ./fdeget).

When I do a "./fdgenerate -d 10.1.9.112 -p 9996 -v 5 -f 100" - I can generate packets. I then go to the logs directory and see that the server sees and processes the packets. This happens when I send the packets to myself. I tried versions 1, 5 and 7.

Where do I go next??? I know that the nfcuser userid does not have sudo. Is this required? Or is that only for installation, and if you install as root - does that work just as well?

The nfcuser $PATH is here:

[nfcuser@itgcursnetflow nfcuser]$ echo $PATH

/usr/kerberos/bin:/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/home/nfcuser/bin:/opt/CSCOnfc/bin:/sbin:/usr/sbin

If I do a "netstat --listening", I see the server listening on port 9996. I also checked the router configs and know they are sending to 9996. Where do I go next?

bgriffis · ‎11-20-2006

A real basic copy of my nfc-config.xml is here:

[nfcuser@itgcursnetflow config]$ more nfc-config.xml

http://www.cisco.com/nfc">

5

9996

active

true

5

true

cisco.mgmt.nfc.${hostname}

cisco.mgmt.nfc

password

interval="5" warning-threshold="90"/>