01-19-2017 02:37 PM - edited 03-08-2019 08:59 AM
Hello,
We've setup netflow version 9 on our 3850 running IOS 03.07.04E
flow exporter AWSSplunk
description test
destination x.x.13.245
transport udp 9996
option interface-table timeout 60
option application-table timeout 60
flow monitor MONITOR1
exporter AWSSplunk
cache timeout inactive 30
cache timeout active 60
record RECORD1
flow record RECORD1
match datalink mac source address input
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
We applied the monitor to Vlan 10:
vlan configuration 10
ip flow monitor MONITOR1 input
Exporter is not sending.
When we debug:
debug flow exporter AWSSplunk error
we see this error:
Jan 19 14:36:52: FLOW EXP: Failed to send pak (0x39767FA8) for exporter AWSSplunk : (Unspecified failure)
What could be the problem?
01-20-2017 12:40 AM
is it even collecting flows in the router itself , you may be hitting a bug did you check your release notes to see if there were any open caveats for that version , im running 3.6.2 bit earlier netfow works fine on it
you can ping the destination fine yes and no FW between switch and collector correct port set on collector side
did you try set a source interface under the exporter too
xxxxx#sh flow exporter statistics
Flow Exporter xxxxxxxxxxxxxxxxxxx:
Packet send statistics (last cleared 30w4d ago):
Successfully sent: 30579421 (28363184521 bytes)
Reason not given: 36698 (24004144 bytes)
01-20-2017 07:44 AM
There are no open caveats for my version.
I can ping the collector, no FW in between
Source: this switch has only one ip address (SVI)
#show flow exporter statistics
Flow Exporter AWSSplunk:
Packet send statistics (last cleared 3d21h ago):
Successfully sent: 98832 (104151210 bytes)
No FIB: 471962 (645808896 bytes)
Client send statistics:
Client: Flow Monitor MONITOR1
Records added: 1457215
- sent: 1457215
Bytes added: 27687085
- sent: 27687085
Client: Option options application-name
Records added: 6213508
- failed to send: 6213508
Bytes added: 515721164
- failed to send: 515721164
Client: Option options interface-table
Records added: 657189
- failed to send: 657189
Bytes added: 65718900
- failed to send: 65718900
01-20-2017 07:57 AM
Looks like it sent some flows nearly 100000 in 3 days but sopme have failed too which is expected , did you try change the transport port to 2055 ? or make sure the collector is definitely set correctly , you could span the port see if there definitely leaving the switch
01-20-2017 08:45 AM
I spanned the port and there is no udp traffic coming from the switch
I tried changing the port before, same thing.
01-24-2017 09:53 PM
open a TAC or try change the software see if it fixes it
01-24-2017 01:02 PM
I must be doing something wrong
I installed version 3.6.2 and I am getting the same error.
Can you show me your config please?
01-24-2017 09:56 PM
Hi
heres a full working config off my VSS
flow record FLOW-RECORD
description record to monitor network traffic
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
match interface output
collect routing source as
collect routing destination as
collect routing next-hop address ipv4
collect transport tcp flags
collect counter bytes
collect counter packets
collect timestamp sys-uptime first
collect timestamp sys-uptime last
!
!
flow exporter NetQos
description export Netflow traffic to HQ
destination x.x.x.x
source xxxxx
template data timeout 300
option interface-table timeout 1000
option exporter-stats timeout 1000
!
!
flow monitor xilinx_nq
description Used for ipv4 traffic analysis (Mapped To FLOW-RECORD)
record FLOW-RECORD
exporter NetQos
statistics packet protocol
interface Vlan159
ip address x.x.x.x 255.255.255.0
ip flow monitor xilinx_nq input
ip flow monitor xilinx_nq output
load-interval 30
end
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide