Flexible NetFlow NBAR Application Recognition not supported on C9200?

mschulte · ‎12-31-2021

I got Netflow working in combination with Solarwinds but I'm also trying to integrate NBAR with it. When I add the command:-

"match application name" to my flow records and apply it to my interface I the result below.

% Flow Monitor: Failed to add monitor to interface: Invalid set of fields in monitor record for wired interface

My Config for example:

flow record NETFLOW_REC_IN
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match flow direction
match interface input
collect counter bytes long
collect counter packets long

flow record NETFLOW_REC_OUT
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match flow direction
match interface output
collect counter bytes long
collect counter packets long

flow exporter NETFLOW_EXP
destination <Solarwinds>
source vlan 66
transport udp 2055

flow monitor NETFLOW_MON_IN
exporter NETFLOW_EXP
record NETFLOW_REC_IN

flow monitor NETFLOW_MON_OUT
exporter NETFLOW_EXP
record NETFLOW_REC_OUT

sampler NETFLOW_SAM
mode random 1 out-of 2

interface g1/0/48

ip flow monitor NETFLOW_MON_IN sampler NETFLOW_SAM input
ip flow monitor NETFLOW_MON_OUT sampler NETFLOW_SAM output

% Flow Monitor: Failed to add monitor to interface: Invalid set of fields in monitor record for wired interface
% Flow Monitor: Failed to add monitor to interface: Invalid set of fields in monitor record for wired interface

How do I fix this?

mschulte · ‎12-31-2021

I found this but no fix.

https://community.cisco.com/t5/switching/flow-monitor-configuration-failure-on-cat-3850-with-match/td-p/3692339

jmodagi · ‎01-02-2022

Hello,

Some combinations of “match” and “collect” fields are not allowed and we might see the following error if the combination is not supported:

% Flow Monitor: Failed to add monitor to interface: Invalid set of fields in monitor record for wired interface

You can try with the following configuration which worked for me:

!
flow record Record_out
match ipv4 version
match ipv4 protocol
match application name
match connection client ipv4 address
match connection server ipv4 address
match connection server transport port
match flow observation point
collect flow direction
collect connection initiator
collect connection new-connections
collect connection client counter packets long
collect connection client counter bytes network long
collect connection server counter packets long
collect connection server counter bytes network long
collect timestamp absolute first
collect timestamp absolute last
!
!
flow exporter Exporter_out
destination x.x.x.x
!
!
flow monitor Monitor_out
exporter Exporter_out
record Record_out
!

Switch#show run int te2/1/1
Building configuration...

Current configuration : 253 bytes
!
interface TenGigabitEthernet2/1/1
switchport access vlan xx
switchport mode access
ip flow monitor Monitor_out input
ip nbar protocol-discovery
end

You may refer to below for any restrictions on FNF and NBAR:

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9200/software/release/16-12/configuration_guide/nmgmt/b_1612_nmgmt_9200_cg/configuring_flexible_netflow.html#reference_FB2AAC4511A140CEBC384F64F86F4DCC

mschulte · ‎01-03-2022

Hi jmodagi,

The switch accepts the input this time however Solarwinds does not interpret this well. I am not receiving any updates when using the config template above.

The only config that worked for me is this one but is is without NBAR. I've tried combining the two but no luck.

https://davidsudjiman.wordpress.com/2020/09/02/netflow-on-cisco-catalyst-9200-for-solarwinds/

jmodagi · ‎01-03-2022

Hello,

Does "ip nbar protocol-discovery" configured under the interface where the flow monitor is applied? If not, then it reset all the interface configuration and apply flow monitor configuration again with given protocol-discovery command.

Also, did you check if the switch is sending out any Netflow packets to Solarwinds?

I suggest the below to isolate the point of failure and proceed accordingly:

- Check flow monitor cache output on switch to see if it sending Netflow packets to Solarwinds
- Check and confirm the port used for receiving Netflow traffic on Solarwinds? And is the port opened on Solarwinds?
- Collect packet capture on switch egress interface to confirm the Netflow packets being sent out from switch
- Collect packet capture on Solarwinds server ingress interface to see any Netflow packets sent from Switch

With above I believe you should be able to find where is the issue (on switch,solarwinds or drop in transit). Based on your finding, you can find the solution or reach respective tech support for help.

mschulte · ‎02-01-2022

Solarwinds TAC checked the packet capture. There are a lot of unknown fields on the IPFIX template that causes it not to be recognized by NTA.

According to Solarwinds TAC I need to ensure the mandatory fields are present on the template such as InputSNMP or OutputSNMP field that determines the Netflow data if ingress or egress. More information below:

https://documentation.solarwinds.com/en/success_center/nta/content/nta-required-fields-sw148.htm

Georg Pauwen · ‎02-01-2022

Hello,

I have read through the Solarwinds documentation...what if you add the lines marked in bold ?

flow record NETFLOW_REC_IN
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match flow direction
match interface input
collect counter bytes long
collect counter packets long
--> collect application name
!
flow record NETFLOW_REC_OUT
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match flow direction
match interface output
collect counter bytes long
collect counter packets long
--> collect application name
!
flow exporter NETFLOW_EXP
destination <Solarwinds>
source vlan 66
transport udp 2055
--> option application-table timeout 60
--> option application-attributes timeout 300