Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1327
Views
0
Helpful
4
Replies

Netflow capture using NFSEN on the ASR-1001X router does not register dates correctly.

tomaszhinz
Level 1
Level 1

‎08-10-2019 01:22 AM

Hello
The problem is that the capture of netflow from the interfaces works correctly, however, the NAT records is saved without dates, actually the date is 1970.

normal capture (exporter, record, monitor etc.)

2019-08-07 00:30:19.856    61.248 TCP       109.95.201.6:49542 <->    52.36.136.207:443         15       15     4410     2221     2

capture using command ip nat log translations flow-export v9 udp destination 10.11.109.60 9995

1970-01-01 01:00:00.000     0.000 TCP       10.30.210.14:49542 <->    52.36.136.207:443          0        0        0        0     2

 

I suspect that the reason is a shift of columns in the nfsen log file, but maybe some of you have already encountered something like this?

 

 

part of working weel netflow configuration

flow record NFT
 match ipv4 tos
 match ipv4 protocol
 match ipv4 source address
 match ipv4 destination address
 match transport source-port
 match transport destination-port
 match interface input
 collect interface output
 collect counter bytes long
 collect counter packets long
 collect timestamp sys-uptime first
 collect timestamp sys-uptime last
!
!
flow exporter Netflow-Exp-v4-new
 destination 10.11.60.30
 source TenGigabitEthernet0/0/1.210
 transport udp 9995
 option exporter-stats timeout 60
!
!
flow monitor Netflow-Mon-v4
 exporter Netflow-Exp-v4-new
 record netflow-original

0 Helpful
4 Replies 4

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎08-11-2019 05:58 AM

Hello Tomas,

the following config chapter for ASR 1000 suggest to use two commands

 

 

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/xe-16/nat-xe-16-book/iadnat-hsl-vrf.html

 

I think you should add the command with the global-on option in step 4

 

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. ip nat log translations flow-export v9 udp destination addr|ipv6-destination IPv6 address vrf vrf name source interface type interface-number
  4. ip nat log translations flow-export v9 {vrf-name | global-on }
  5. exit

I apologize if you have already inserted the suggested command as your issues is related to timestamps in exported NAT translations.

 

01/01/1970 is the starting date in unix and linux systems.

 

Hope to help

Giuseppe

 

0 Helpful

tomaszhinz
Level 1
Level 1
In response to Giuseppe Larosa

‎08-16-2019 09:03 AM

As you can see in my previous post, I tested this command already with no success.

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to tomaszhinz

‎08-16-2019 09:16 AM

Hello Tomas,

I didn't see the command I have proposed to add in your post but I was not sure if you had just omitted it.

My understanding is that two commands are needed for this feature and the second one just tell the routing context vrf or global-on to use for exporting data.

 

 

Hope to help

Giuseppe

 

0 Helpful

tomaszhinz
Level 1
Level 1
In response to Giuseppe Larosa

‎08-16-2019 10:12 AM

Dear Giuseppe thank you for your response. 

 

Thank you for the quick reply, I checked both commands but it did not help.

I wonder why Cisco didn't allow to attach the Flow Record Definition to nat flow export :-( because in this case we have no possibility do change structure of exported fields of nat netflow data....

I don't know if it is a matter of the order of fields in the exported data ....

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card