Nodes Traffic problem

Raul,

Have you confirmed within the configs that that destination is the IP of the Orion NTA server and being sent to port 2055?  Did the Orion server get migrated at all?  If so, the IP for the destination may not be correct and flows may be going to an older server. 

Regards,

Matthew Harvey

Loop1 Systems

http://www.loop1systems.com

Hello Matthew,

Yes, the destination is the IP from Orion NTA and the port is 2055.

Um, what you mean by migrated? This server has never been moved or anything, so it shouldnt be a problem.

Any other ideas?

Regards, Raul

So, I tried doing some sniffing with Wireshark, but Im not sure whats going on.

As you see in the 1st screen shot, the last node sent some Netflow data at 11:03am. However, WireShark never got a cflow packet, only lots of SNMP packets. You'll see this in the second screenshot and also please notice I only put the filter for the IP of the node.

If you guys have any ideas, i'll appreciate the input.

P.S. There is something wrong with the web site and Chrome. I had to use IE to be able to use the Insert Image button. With Chrome I only had a black window open, but no text or buttons of any prompt.

Hello,

I put this on standby for a bit and didnt do much till yesterday.

I set the timeouts as Choly said, but this didnt helped either. Now my thoughts are that maybe is the firewall which is giving me some problems. I set a new rule in the firewall that should let pass all UDP packets to port 2055 from the router I want to monitor.

Is there something I am missing in the firewall?

Hello again,

Well, I think I found a main problem. and is regarding my device. I run some commands to show the flow export from my device and found a disturbing issue.

Router#sho ip flow exp

Flow export v5 is enabled for main cache

  Exporting flows to 10.90.XXX.XXX (2055)

  Exporting using source interface Multilink25

  Version 5 flow records

  29253320 flows exported in 975381 udp datagrams

  0 flows failed due to lack of export packet

  0 export packets were sent up to process level

  0 export packets were dropped due to no fib

  25 export packets were dropped due to adjacency issues

  0 export packets were dropped due to fragmentation failures

  0 export packets were dropped due to encapsulation fixup failures

Router#sho ip flow int

Multilink25

  ip route-cache flow

  ip flow ingress

  ip flow egress

What I find a bit disturbing is the amount of flows and UDP Datagrams, is this normal? Secondly, those 25 packets dropped, what it means? I have to assume that no matter that only 25 dropped since I have so many flows and datagrams sent right?

Lastly, I think the interface is correctly configured. If anything is wrong I'd appreciate an input

Regards,

--Raul

The flow export and datagram counts look normal to me.

The "25 export packets were dropped due to adjacency issues" means that 25 flow export packets were lost due to some transient routing problem on the device that caused it to lose its route to the Orion server (probably an interface flap).

Since your Orion server isn't receiving the flow packets, that's the thing you need to troubleshoot:

1) Can you ping the Orion server from the IP address of Multilink25?

2) Is there a firewall or other packet filter in the middle that's blocking UDP/2055?

Hi jswan,

As I posted above the post you replied to, I have a Firewall. Also, I have set a rule to allow packets from this router to our Orion server on port 2055.

I havent tried the ping, but last night cheking Wireshark, I saw the ICMP packets beetween the server and the router, getting Request and Response, so I assume its reacheable.

In a very old post I saw that it should be the loopback of the router the interface i should be monitoring? Has anyone else tried this?

Regards, Raul

Not sure about the current release, but in earlier releases the node IP address in NPM had to be the same as the NetFlow source address. But since you're not receiving netflow packets on the NPM host at all, that's not your problem. Until you are seeing NetFlow packets received on the NPM host, you're not going to get anywhere.

Something else to look at.  On the Orion server, go to Start > Run > Perfmon.  Open the Performance Monitor and click the + then add all the SolarWinds NetFlow counters.  Once added, change the view from a graph to a report, then see if the server is seeing the flow packets.  While you aren't seeing them as FLOW or CFLOW in Wireshark, they may be coming in simply as UDP packets and Wireshark isn't recognizing them.

Thanks for all the input guys.

Some good news, of the 3 nodes that weren't sending, now I recieve from one more, that puts me on 2/4 for Netflow. Now, probably what helped me, is that this 2 nodes are on-premises, so they don't have to pass by the Firewall. However the other 2 nodes are...elsewhere in the country so they do need to pass the Firewall.

Currently checking the configs of the other nodes and see what I can get.

Will keep posted.