Hi,

We are facing same problem here. As we dont see aby flows on FC its dropping the packets.

Take a look at the Cisco Netflow Configuration:

- flow exporter netflow_to_stealthwatch

- description Export NetFlow to StealthWatch

- destination 10.10.35.105<> use-vrf server

- transport udp 2055

- source Vlan22

- version 9

- flow record StealthWatch

- match ipv4 source address

- match ipv4 destination address

- match ip protocol

- match ip tos

- match transport source-port

- match transport destination-port

- collect routing destination as

- collect routing next-hop address ipv4

- collect transport tcp flags

- collect counter bytes

- collect counter packets

- collect timestamp sys-uptime last

- collect ip version

- sampler netflow_stealthwatch

- mode 1 out-of 1000

- flow monitor standard_v9netflow

- record StealthWatch

- exporter netflow_to_stealthwatch

-

- interface Vlan22

- description B-Prod-DMZ-App1

- no shutdown

- bandwidth 10000000

- delay 10

- vrf member server

- ip flow monitor standard_v9netflow input sampler netflow_stealthwatch

- no ip redirects

- ip address 10.10.23.253/23<>

- ip proxy-arp

- glbp 22

- ip 10.10.23.252<>

- priority 110

- load-balancing host-dependent

I can able see the packets on switch level.

Please guide how to resolve.

Thanks.

Hi There,

Try the following record. If this works then add any further entries one at a time to see which it doesn't like. 

match ipv4 source address 
match ipv4 destination address
match ipv4 protocol
match transport source-port
match transport destination-port
match ipv4 tos
match interface input
collect interface output
collect counter bytes long
collect counter packets long

Still having the same problem. Not seen any flows.

Hi, 

Can you take a packet capture from SC. It is under support/capture i believe. Have a look and see if the netflow data is indeed reaching the appliance but then being dropped.

Can you also post current netflow config from device.

Hi,
Tried with packet capture can see the packet reaching FC but its dropped. Checked.

,

We are facing same problem here. As we dont see aby flows on FC its dropping the packets.

Take a look at the Cisco Netflow Configuration:

- flow exporter netflow_to_stealthwatch

- description Export NetFlow to StealthWatch

- destination 10.10.35.105<> use-vrf server

- transport udp 2055

- source Vlan22

- version 9

- flow record StealthWatch

- match ipv4 source address

- match ipv4 destination address

- match ip protocol

- match ip tos

- match transport source-port

- match transport destination-port

- collect routing destination as

- collect routing next-hop address ipv4

- collect transport tcp flags

- collect counter bytes

- collect counter packets

- collect timestamp sys-uptime last

- collect ip version

- sampler netflow_stealthwatch

- mode 1 out-of 1000

- flow monitor standard_v9netflow

- record StealthWatch

- exporter netflow_to_stealthwatch

-

- interface Vlan22

- description B-Prod-DMZ-App1

- no shutdown

- bandwidth 10000000

- delay 10

- vrf member server

- ip flow monitor standard_v9netflow input sampler netflow_stealthwatch

- no ip redirects

- ip address 10.10.23.253/23<>

- ip proxy-arp

- glbp 22

- ip 10.10.23.252<>

- priority 110

- load-balancing host-dependent

I can able see the packets on switch level.

Please guide how to resolve.

Can you please amend the flow record so it ONLY has the following (for testing) - Remove all other entries within the record. You will have to disassociate it from the rest of the config first to amend it.

 

match ipv4 source address 
match ipv4 destination address
match ipv4 protocol
match transport source-port
match transport destination-port
match ipv4 tos
match interface input
collect interface output
collect counter bytes long
collect counter packets long