Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1016
Views
0
Helpful
7
Replies

Neflow exporter error on 3850

itinfrastructure3
Level 1
Level 1

‎01-19-2017 02:37 PM - edited ‎03-08-2019 08:59 AM

Hello,

We've setup netflow version 9 on our 3850 running IOS 03.07.04E

flow exporter AWSSplunk
 description test
 destination x.x.13.245
 transport udp 9996
 option interface-table timeout 60
 option application-table timeout 60

flow monitor MONITOR1
 exporter AWSSplunk
 cache timeout inactive 30
 cache timeout active 60
 record RECORD1

flow record RECORD1
 match datalink mac source address input
 match ipv4 protocol
 match ipv4 source address
 match ipv4 destination address
 match transport source-port
 match transport destination-port

We applied the monitor to Vlan 10:

vlan configuration 10

ip flow monitor MONITOR1 input

Exporter is not sending.

When we debug:

debug flow exporter AWSSplunk error

we see this error:

Jan 19 14:36:52: FLOW EXP: Failed to send pak (0x39767FA8) for exporter AWSSplunk : (Unspecified failure)

What could be the problem?

Labels:
0 Helpful
7 Replies 7

Mark Malone
VIP Alumni
VIP Alumni

‎01-20-2017 12:40 AM

is it even collecting flows in the router itself , you may be hitting a bug did you check your release notes to see if there were any open caveats for that version , im running 3.6.2 bit earlier netfow works fine on it

you can ping the destination fine yes and no FW between switch and collector correct port set on collector side

did you try set a source interface under the exporter too

xxxxx#sh flow exporter statistics
Flow Exporter xxxxxxxxxxxxxxxxxxx:
  Packet send statistics (last cleared 30w4d ago):
    Successfully sent:         30579421              (28363184521 bytes)
    Reason not given:          36698                 (24004144 bytes)

0 Helpful

itinfrastructure3
Level 1
Level 1
In response to Mark Malone

‎01-20-2017 07:44 AM

There are no open caveats for my version.

I can ping the collector, no FW in between

Source: this switch has only one ip address (SVI)

#show flow exporter statistics       
Flow Exporter AWSSplunk:
  Packet send statistics (last cleared 3d21h ago):
    Successfully sent:         98832                 (104151210 bytes)
    No FIB:                    471962                (645808896 bytes)

  Client send statistics:
    Client: Flow Monitor MONITOR1
      Records added:           1457215
        - sent:                1457215
      Bytes added:             27687085
        - sent:                27687085

    Client: Option options application-name
      Records added:           6213508
        - failed to send:      6213508
      Bytes added:             515721164
        - failed to send:      515721164

    Client: Option options interface-table
      Records added:           657189
        - failed to send:      657189
      Bytes added:             65718900
        - failed to send:      65718900

0 Helpful

Mark Malone
VIP Alumni
VIP Alumni
In response to itinfrastructure3

‎01-20-2017 07:57 AM

Looks like it sent some flows nearly 100000 in 3 days but sopme have failed too which is expected   , did you try change the transport port to 2055 ? or make sure the collector is definitely set correctly , you could span the port see if there definitely leaving the switch

0 Helpful

itinfrastructure3
Level 1
Level 1
In response to Mark Malone

‎01-20-2017 08:45 AM

I spanned the port and there is no udp traffic coming from the switch

I tried changing the port before, same thing.

0 Helpful

Mark Malone
VIP Alumni
VIP Alumni
In response to itinfrastructure3

‎01-24-2017 09:53 PM

open a TAC or try change the software see if it fixes it

0 Helpful

curt.watts
Level 1
Level 1
In response to Mark Malone

‎01-24-2017 01:02 PM

I must be doing something wrong

I installed version 3.6.2 and I am getting the same error.

Can you show me your config please?

0 Helpful

Mark Malone
VIP Alumni
VIP Alumni
In response to curt.watts

‎01-24-2017 09:56 PM

Hi

heres a full working config off my VSS

flow record FLOW-RECORD
 description record to monitor network traffic
 match ipv4 tos
 match ipv4 protocol
 match ipv4 source address
 match ipv4 destination address
 match transport source-port
 match transport destination-port
 match interface input
 match interface output
 collect routing source as
 collect routing destination as
 collect routing next-hop address ipv4
 collect transport tcp flags
 collect counter bytes
 collect counter packets
 collect timestamp sys-uptime first
 collect timestamp sys-uptime last
!
!
flow exporter NetQos
 description export Netflow traffic to HQ
 destination x.x.x.x
 source xxxxx
 template data timeout 300
 option interface-table timeout 1000
 option exporter-stats timeout 1000
!
!
flow monitor xilinx_nq
 description Used for ipv4 traffic analysis (Mapped To FLOW-RECORD)
 record FLOW-RECORD
 exporter NetQos
 statistics packet protocol


interface Vlan159
 ip address x.x.x.x 255.255.255.0
 ip flow monitor xilinx_nq input
 ip flow monitor xilinx_nq output
 load-interval 30
end

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card