Router 1841 IOS 12.4 and ingress flow

FormerMember

Hi guys,

Just using NTA to monitor internet bandwidth on multiple sites. I have no problems where I am using ASA firewalls or 2900 or 2800 routers, but where I am using a 1841 as internet gateway, I can only see the EGRESS traffic from the public interface, even if the netflow summary shows me correctly the traffic in and out speed on the interface.

here is some of the configuration and some outputs, any idea?

 

#sho ver
Cisco IOS Software, 1841 Software (C1841-IPBASEK9-M), Version 12.4(24)T5, RELEASE SOFTWARE (fc3)

#sho run int fa 0/0
interface FastEthernet0/0
 ip address x.x.x.x 255.255.255.240
 ip access-group internet-filter in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 no ip route-cache cef
 duplex auto
 speed auto
 no cdp enable
end

ip flow ingress is also applied to all internal interfaces

ip flow-export source FastEthernet0/0/0.20
ip flow-export version 9
ip flow-export destination 192.168.x.x 2055

 

#sho ip flow export
Flow export v9 is enabled for main cache
  Export source and destination details :
  VRF ID : Default
    Source(1)       192.168.x.x (FastEthernet0/0/0.20)
    Destination(1)  192.168.x.x (2055)
  Version 9 flow records
  1197764 flows exported in 54922 udp datagrams
  0 flows failed due to lack of export packet
  0 export packets were sent up to process level
  1 export packets were dropped due to no fib
  0 export packets were dropped due to adjacency issues
  0 export packets were dropped due to fragmentation failures
  0 export packets were dropped due to encapsulation fixup failures

 

 

#sho ip cache flow
IP packet size distribution (17670009 total packets):
   1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480
   .000 .420 .129 .016 .023 .008 .008 .017 .008 .011 .013 .020 .011 .011 .009

    512  544  576 1024 1536 2048 2560 3072 3584 4096 4608
   .004 .003 .005 .154 .121 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 278544 bytes
  83 active, 4013 inactive, 1190725 added
  26472249 ager polls, 0 flow alloc failures
  Active flows timeout in 30 minutes
  Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 34056 bytes
  83 active, 941 inactive, 1190723 added, 1190723 added to flow
  0 alloc failures, 0 force free
  1 chunk, 2 chunks added
  last clearing of statistics never
Protocol         Total    Flows   Packets Bytes  Packets Active(Sec) Idle(Sec)
--------         Flows     /Sec     /Flow  /Pkt     /Sec     /Flow     /Flow
TCP-WWW         118501      0.1        27   140      5.4       3.4       8.7
TCP-SMTP            33      0.0       986   976      0.0       9.9       1.5
TCP-BGP          19138      0.0         2    49      0.0       8.0      15.4
TCP-other       260769      0.4        21   210      9.4       8.4      10.0
UDP-DNS         149542      0.2         1    69      0.2       0.0      15.4
UDP-NTP          80162      0.1         1    76      0.1       0.0      15.4
UDP-other       481839      0.8        17   578     13.9       3.2      15.4
ICMP             73582      0.1         1    85      0.2       1.7      15.5
GRE               7076      0.0         3   143      0.0       9.4      15.4
Total:         1190642      2.0        14   369     29.7       3.8      13.6

-------------removed the ip to ip flow part--------------------

 

 

Thank you,

 

R

mavturner

riccardo, it might be best to go ahead and open a support case (reference this thread when you do). 

Here is some comments from one of our support guys who I asked to look at your post:

 

With the information provided the only thing I  see that might be causing the issue is the Access-list applied “ ip access-group internet-filter in” or other access-list.

The Egress traffic that is being collected is collected from the other interfaces.

Since they are performing NAT on the public interface I would recommend having both Ingress and Egress on the other interfaces.  This should capture Ingress on the public interface when going in the Egress direction on the internal interfaces