cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2289
Views
0
Helpful
12
Replies

Flexible netflow not working

Hello,

i'm trying to install Flexible Netflow on a cisco Catalyst 3850.
But, no package is exported and if I run the "show flow monitor ipv4_netflow_input statistics" command , there is no field "flow aged" with 'active timeout" and "Inactive timeout" :

 

Cache type: Normal (Platform cache)
Cache size: 10000 Current entries: 2096
Flows added: 2096
Flows aged: 0

Moreover, the packets not exported are well in the cache.


My configuration (cisco IOS 16.6) :
flow record goelastic_input
match ipv4 destination address
match ipv4 source address
match transport source-port
match transport destination-port
match ipv4 protocol
match ipv4 tos
match ipv4 ttl
match interface input
match flow direction
match datalink vlan input
collect counter bytes long
collect counter packets long
!
!
flow exporter exp_goelastic_input
destination X.X.X.X
source Loopback0
transport udp 2055
!
!
flow monitor ipv4_netflow_input
exporter exp_goelastic_input
cache timeout active 60
record goelastic_input

Thanks

12 Replies 12

Hello !

 

The license level is "ipbase", is that ok for Netflow ?

 

Regards

 

balaji.bandi
Hall of Fame
Hall of Fame

Can you post show version, show cef information.

 

here is my working template config  for reference :

 

flow record FLOW-BB
match ipv4 source address
match ipv4 destination address
match ipv4 tos
match ipv4 protocol
match transport source-port
match transport destination-port
match interface input
collect transport tcp flags
collect interface output
collect counter bytes long
collect counter packets long
collect timestamp sys-uptime first
collect timestamp sys-uptime last


flow monitor ipv4-netflow-bb
exporter ELK
statistics packet protocol
statistics packet size


record FLOW-BB

flow exporter ELK
destination x.x.x.x
source Loopback0
transport udp 2055


interface gi 1/1
ip flow monitor ipv4-netflow-bb input
ip flow monitor ipv4-netflow-bb output

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hello,

Show version command :

 

Cisco IOS XE Software, Version 16.06.05

Cisco IOS Software [Everest], Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 16.6.5, RELEASE SOFTWARE (fc3)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2018 by Cisco Systems, Inc.

Compiled Mon 10-Dec-18 11:34 by mcpre

 

 

Cisco IOS-XE software, Copyright (c) 2005-2018 by cisco Systems, Inc.

All rights reserved.  Certain components of Cisco IOS-XE software are

licensed under the GNU General Public License ("GPL") Version 2.0.  The

software code licensed under GPL Version 2.0 is free software that comes

with ABSOLUTELY NO WARRANTY.  You can redistribute and/or modify such

GPL code under the terms of GPL Version 2.0.  For more details, see the

documentation or "License Notice" file accompanying the IOS-XE software,

or the applicable URL provided on the flyer accompanying the IOS-XE

software.

 

 

ROM: IOS-XE ROMMON

BOOTLDR: CAT3K_CAA Boot Loader (CAT3K_CAA-HBOOT-M) Version 4.68, RELEASE SOFTWARE (P)

 

CISCO01 uptime is 1 week, 1 day, 21 hours, 29 minutes

Uptime for this control processor is 1 week, 1 day, 21 hours, 32 minutes

System returned to ROM by Power Failure or Unknown at 13:26:42 MET Thu Dec 19 2019

System restarted at 11:32:54 MET Mon Jun 22 2020

System image file is "flash:cat3k_caa-universalk9.16.06.05.SPA.bin"

Last reload reason: Power Failure or Unknown

 

 

 

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.

 

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

 

If you require further assistance please contact us by sending email to

export@cisco.com.

 

 

Technology Package License Information:

 

-----------------------------------------------------------------

Technology-package                   Technology-package

Current             Type             Next reboot

------------------------------------------------------------------

ipbasek9            Permanent        ipbasek9

 

cisco WS-C3850-24S (MIPS) processor (revision M0) with 853097K/6147K bytes of memory.

9 Virtual Ethernet interfaces

56 Gigabit Ethernet interfaces

8 Ten Gigabit Ethernet interfaces

2048K bytes of non-volatile configuration memory.

4194304K bytes of physical memory.

250456K bytes of Crash Files at crashinfo:.

252000K bytes of Crash Files at crashinfo-2:.

1609272K bytes of Flash at flash:.

1611414K bytes of Flash at flash-2:.

0K bytes of WebUI ODM Files at webui:.

 

Switch Ports Model              SW Version        SW Image              Mode

------ ----- -----              ----------        ----------            ----

*    1 32    WS-C3850-24S       16.6.5            CAT3K_CAA-UNIVERSALK9 BUNDLE

     2 32    WS-C3850-24S       16.6.5            CAT3K_CAA-UNIVERSALK9 BUNDLE

 

Configuration register is 0x102

 

what do you need about cef information ?

 

Thank you for your help

 

I just tried to apply the flow monitors on the VLANs with "vlan configuration in-vlan", it works once, but not after. And it doesn't work by applying the monitors on the physical interfaces.

 

moreover, when I remove the flow monitors on the interfaces or vlan, my Elastic server receives netflow packets. But, no flow is aged:

Cache type: Normal (Platform cache)
Cache size: 10000
Current entries: 300

Flows added: 300
Flows aged: 0

 

Any idea ?

Big thank

is this L2 Interface then it will not work. it should be L3 interface.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hello, thank you for your answer.

 

I don't understand what is wrong, "Layer 2, VLAN, and Layer 3 interfaces are supported." (https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/fnetflow/configuration/xe-3se/3850/fnf-full-flow.html)

 

And my switch have almost the same configuration as you.

 

Big thank

As you mentioned it was worked when you add configuration to SVI ?

 

Can you post both the interface configurtaiotn:

 

show run interface vlan X

show run interface gig x/x

show ip flow export

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Not to SVI but VLAN,

 

show run interface vlan X :


Current configuration : 182 bytes
!
interface VlanXX
description *** Vlan Management ***
ip address XX.XX.XX.XXX XXX.XXX.XXX.X
ip helper-address XXX.XXX.XXX.X
ip helper-address XXX.XXX.XXX.X
no ip proxy-arp
end

 

show run interface gigabitEthernetX/X
Building configuration...

Current configuration : 181 bytes
!
interface GigabitEthernetX/X
description Link_To_XXXXXXXXXX
switchport mode trunk
switchport nonegotiate
channel-group 53 mode active
ip nbar protocol-discovery
end

 


show flow record :


flow record goelastic_input:
Description: User defined
No. of users: 1
Total field space: 38 bytes
Fields:
match datalink vlan input
match ipv4 tos
match ipv4 ttl
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
match flow direction
collect counter bytes long
collect counter packets long

 

Big thank

 

 

I do not see the configuration applied to interface?

 

is this port-channel Layer 2 or Layer 3? Can you post

 

 

show run interface port-channel 53 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

yes i removed the flow monitors. I give one:


Cisco01#show run interface gigabitEthernet1/0/1 :


interface GigabitEthernet1/0/1
description TINSWCISCO02-ADM
switchport mode trunk
ip flow monitor ipv4_netflow_input input
storm-control broadcast level 5.00
storm-control action shutdown
storm-control action trap
channel-group 1 mode active
ip nbar protocol-discovery
ip dhcp snooping trust
end

 

Yes this port channel is Layer 2. Is that why it doesn't work?

show run interface port-channel 53 :


interface Port-channel53
description Link_To_CISCO02
switchport mode trunk
switchport nonegotiate
end

 

Big thank

I think i found my problem. It's a bug :

 

Jul 2 11:19:03: %FMFP-3-OBJ_DWNLD_TO_DP_FAILED: Switch 2 R0/0: fman_fp_image: [FNF Object] type:IF_BIND name:ipv4_netflow_input-0-goelastic_in put-3564851318-0-1-40 fnf-id:2000125 real-id:125 info:ifh =40 mon-id:2000001 samp-id:0 dir:1 traffic:0 sub_traffic:0x0 efp_id:3 download to DP f ailed

 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvi03188/?rfs=iqvred

 

Symptom:
The issue is observed on 3650 and 3850 on in CU environment running 16.6.2 with "match ipv4 version" removed from the FNF record. CU removed the config more that 20 times and the Exporter stopped working while observing the below error messages in the logs:

189768: Feb 16 2018 16:23:25.521 UTC: %FMFP-3-OBJ_DWNLD_TO_DP_FAILED: Switch 2 R0/0: fman_fp_image: [FNF Object] type:IF_BIND name:FNF-MONITOR-IN-0-FNF-RECORD-IN-1614463892-0-1-7 fnf-id:2000433 real-id:433 info:ifh =7 mon-id:2000022 samp-id:0 dir:1 traffic:0 sub_traffic:0x0 efp_id:3 download to DP failed
189769: Feb 16 2018 16:23:25.575 UTC: %FMFP-3-OBJ_DWNLD_TO_DP_FAILED: Switch 3 R0/0: fman_fp_image: [FNF Object] type:IF_BIND name:FNF-MONITOR-IN-0-FNF-RECORD-IN-1614463892-0-1-7 fnf-id:2000433 real-id:433 info:ifh =7 mon-id:2000022 samp-id:0 dir:1 traffic:0 sub_traffic:0x0 efp_id:3 download to DP failed

Conditions:
3650/3850 running 16.6.2 code and FNF configuration removed and re added multiple times.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: