Cisco Stealthwatch problem with Nexus 5600 Switch

sevsecurity · ‎07-09-2024

Hi, i have SNA ver 7.4 with one flow collector and i have no issue for sending flow traffic to collector except with Nexus 5600 switches.i have configured N5k as Nexus 5600 configuration guide for netflow. in SNA in exporters i cant see my Nexus 5600 and when i generate a report in SNA about flow problems it shows that it received logs from Nexus 5600 but in Flow Type section it says " NOT_CONFIGURED" . but i have configured in exporter section in nexus 5600 version 9. i dont know why sna cant see the flow type as version 9.

is there any problem in 5600 with stealtwatch or im missing something. i tried to send flows to solarwinds and it is ok but no luck with stealthwatch!

* i have attaches screenshot from SNA report.

thanks in advance.

jamegill · ‎07-09-2024

Hey @sevsecurity ,

Are you using sampled NetFlow? What configuration guide are you following, can you include a link? Can you paste the flow configuration from your switch? What code version is running on your Nexus 5600s?

--jg

DanielLarsson63527 · ‎07-30-2024

Hi,

I think your netflow configuration is just not done the way stealthwatch wants it.
There is a little bit of difference between "IOS" and "NX-OS" configuration.

Flow Type "NOT_CONFIGURED" usually means that there is a mismatch between your FC configuration and the way the export is configured. You said you have defined it as version 9, have you also done the rest of the configuration according to:
https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/netflow/config-trouble-netflow-stealth.pdf

I've run all sorts of versions of IOS and NX-OS and never had any issues with the configuration as long as all parameters are defined. When it ends up as "NOT_CONFIGURED" there has always been a flow record, or flow exporter configuration mistake.

HTH
-Daniel