Hi

We have an ASR1001 running version 15.1(2)S2. Instead of using interface Gi0, we used another interface Gi0/0/3 to export the flow. From the "sh ip flow export" command, we can see that the flow is already exported. However, when we tried sniffing at the next hop (10.1.1.1), which is a firewall, we cannot see the udp packets coming into the interface. So, the udp packets is not leaving the router. Any idea what is missing?

interface GigabitEthernet0/0/3
 ip vrf forwarding mgmt-ip
 ip address 10.1.1.2 255.255.255.0
 no ip redirects
 no ip proxy-arp
 negotiation auto
 cdp enable
!
ip route vrf mgmt-ip 0.0.0.0 0.0.0.0 GigabitEthernet0/0/3 10.1.1.1
!
ip flow-export source GigabitEthernet0/0/3
ip flow-export version 9
ip flow-export destination 10.10.10.253 5100 vrf mgmt-ip
!

Router#sh ip flow export
Flow export v9 is enabled for main cache
  Export source and destination details :
  VRF ID : 2
    Source(1)       10.1.1.2 (GigabitEthernet0/0/3)
    Destination(1)  10.10.10.253 (5100)
  Version 9 flow records
  238115493 flows exported in 10970087 udp datagrams
  0 flows failed due to lack of export packet
  0 export packets were sent up to process level
  0 export packets were dropped due to no fib
  0 export packets were dropped due to adjacency issues
  0 export packets were dropped due to fragmentation failures
  0 export packets were dropped due to encapsulation fixup failures
  0 export packets were dropped enqueuing for the RP
  0 export packets were dropped due to IPC rate limiting
  0 export packets were dropped due to Card not being able to export
Router#

hi,

you can try

show flow exporter [yourexporter] statistics

it will show you a little bit more than command in your example. and you must see whether it sending any traffic or no. I had similair issues and this command helped me to solve my issue. also I noted "Flow export v9 is enabled for main cache" in your last command output, maybe it's something with cache?

You might want to try FNF based flow config. I am not sure if this is available in your IOS version. Here's an example which I am using for IOS 15.6:

flow record demo
 match ipv4 protocol
 match ipv4 source address
 match ipv4 destination address
 match transport destination-port
 match transport source-port
 match routing vrf input
 match routing vrf output
 match mpls label 1 details
 match mpls label 2 details
 match mpls label 3 details
 collect counter bytes long
 collect counter packets long
flow exporter demo
 destination 10.10.10.10
 transport udp 9996
flow monitor demo
 exporter demo
 cache timeout inactive 30
 cache timeout active 60
 record demo
 

And this is how I attach to interface for which I want to collect flows:

!
interface GigabitEthernet1
 ip flow monitor demo input
 ip flow monitor demo output

!

Hello George,

thanks for your platform specific information

but how netflow export packets prepared by ESP go out to the external world?

it can use any interface on a SPA instead of an interface on the RP?

Hope to help

Giuseppe

Giuseppe,

What you said is correct. Any SPA interface can be used for Netflow Export for the ASR1000. The Gig0 interface being referred to is built into the RP and while its purpose is for Management it cannot be used for Netflow Export. This is platform specific as you noted.

Is it true for a ISR4400 ?  We have created a vrf for management traffic. From a long ago post --- In the past netflow, was not supported on GI0 -- from a another thread -> "Netflow can't be exported from the main data plane out through the management interface (Gig0)"  -----   We are running 17.0.x.x.x - its seems that this is still the case? You can not or, can we input the flow in another monitor and export out another? Please advise thanks in advance?

Hello @arnert .

the thread is referred to ASR 1000 platform and to the fact that the built in management interface gi0  that is for out of band management cannot be used for sending out flow records collected by Netflow.

In your router ISR 4400 you can export using a standard interface even if it is mapped to a VRF that you have configured adding the vrf <vrf-name> keywords where it is necessary in the flow exporter I suppose in flexible netflow.

Hope to help

Giuseppe

Hello @CiscoBrownBelt ,

I know this answer is a late one the ESP is a specific HW component of ASR 1000 that provides data plane switching and can performs encryption / decryption and so on.

>> o we can export netflow to not use mgmt vrf such as use loopback and make sure connectivity to ExportCollector is reachable via loopback and not just mgmt interface? 

short answer is yes

Hope to help

Giuseppe