Re: Prove Netflow send out

Rojer-bkk · ‎04-07-2011

Hi,

How can i prove router send netflow out to server? I received complain from server team didn't get any flow from router but i checked 'show ip flow export' and interface which server connected, is that enough? Thanks

N W · ‎04-07-2011

Hi

Not too sure if you can run ip accounting to see netflow to the servers IP address. Could give it ago and see.

You could use debug ip flow export, and on the server user netstat to see if it is listening for network and see if any connections are being made.

Or use packet sniffer such as wireshark.

Noel

johnlloyd_13 · ‎04-07-2011

hi,

kindly post your show ip flow export and show run | i flow outputs. check for the line with "X flows exported Y udp datagrams" to verify if there's indeed netflow traffic. also check if any firewall or ACL blocking the netflow UDP port. you can test if this port is open or not by using command below:

Router#telnet /source-interface

Latchum Naidu · ‎04-07-2011

Hi,

The output of "ip flow export" is enough to prove that the router sending stats to netflow server. The output will be like bwlow...

Ask the serve team to look at below things...

1. Is that required interface managed in netflow server?
2. Do they have enough license to manage interfaces?
3. Check the required services status.

#sh ip flow export
Flow export v5 is enabled for main cache
Exporting flows to 10.36.6.190 (9996)
Exporting using source interface FastEthernet0/0
Version 5 flow records
1293682 flows exported in 62251 udp datagrams
0 flows failed due to lack of export packet
31107 export packets were sent up to process level
0 export packets were dropped due to no fib
0 export packets were dropped due to adjacency issues
0 export packets were dropped due to fragmentation failures
5 export packets were dropped due to encapsulation fixup failures

Hope the above will help you.

Please rate the helpfull posts.
Regards,
Naidu.

Rojer-bkk · ‎04-07-2011

Hi All,

Thank you very much for value feedback.

Richard Burts · ‎04-07-2011

Rojer

I recently faced a similar issue at a customer site. We had configured NetFlow on some routers but the group managing the NetFlow collector were saying that they were not receiving NetFlow records from these routers. I resolved this issue by finding a router on the data path from the router generating NetFlow to the NetFlow collector. On that router I issued the show ip cache flow command and found in its output records with our router as the source, with the collector as the destination, and with the port number that was specified for the NetFlow records.

When presented with this information the group manging the collector looked more carefully at the collector and discovered that there was some configuration issue on the collector that was causing it to not accept NetFlow records from our router.

Perhaps this approach might work for you.

HTH

Rick

HTH

Rick

hobbe · ‎04-07-2011

Hi

In my world just because you are sending the information does not mean that the information reaches the end destination.

to realy check what hits the netflow collector, setup a span port on the switch that it is connected on and se what that switch sends out to the collector.

if the stream is there then the problem is in the collector, if the stream does not exist then the problem is somewhere on the way.

it could be anything from the windows "firewall" to just misconfiguration on what the collector accepts.

Good luck

HTH

N W · ‎04-08-2011

To put this to bed use this

http://www.plixer.com/products/netflow-sflow/flowalyzer-netflow-sflow-tester.php

it is a netflow tester, run it on your server and it will tell you if netflow is hittng your server and from where.

Noel