cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 7

Not receiving Netflow data

Hi all.  I am rather inexperienced Orion/Netflow user.  I downloaded the trial version and installed the full suite on a desktop placed outside our firewall.  I collected Netflow data (v.5) just fine.  However, the goal is to collect it from inside our network before the firewall.  The firewall is many-to-one NATting everything.  This seems to be the only difference.  I had the firewall ports opened 2055 and 9996 (I believe), 161, etc.  I can add the device but it still shows "down".  It shows the router (a Cisco 2821) as being a netflow source, and my router is indeed configured and set up to send to the collector. 

What is happening?  I have searched for days and cant' seem to find the answer.  I even changed to version 9 on the router to see if that would help (I heard v9 is configured to work with NAT)....

Any help would be appreciated.

0 Kudos
5 Replies
Product Manager
Product Manager

You'll need to set the NetFlow destination to be the external interface of your firewall, then create a firewall port forward for UDP port 2055 to forward to the machine where Orion NetFlow Traffic Analyzer is installed. You'll still need add the router and monitor its interfaces with Orion NPM (Network Performance Monitor) but you shouldn't need any special port/address translations for that to happen. 

Depending on your firewall you may need to allow the traffic through the firewall. You'll need to allow UDP port 161 bidirectionally to/from your Orion server and the router that's sending the netflow data. You'll also want to allow ICMP echo request from the Orion server to your Netflow router, and accept the ICMP echo reply packets back through the firewall from your netflow router to your Orion server. Additionally you might need to allow UDP port 2055 to the the firewall for the port forwarding to work properly.

0 Kudos
Level 7

Hi,

I know this is an old topic but why do we need to allow ICMP from router toward Netflow collector?

0 Kudos

@vladani19I don't think you need specifically ICMP to be allowed, but the router needs to be monitored in some way by NPM, whether it is ICMP, SNMP or others.

0 Kudos
Level 7

That is a really geat response!  Some I had already tried, but the idea of sending the netflow to the firewall interface did not come to mind.  Would this not render this port a mirror port?  When spanning or port mirroring in Cisco IOS the destination port is no longer switchable or routable.  It just copies packets.  Just a little nervous..........

0 Kudos
Product Manager
Product Manager

Because the firewall is doing NAT there's no direct route from the router to the server running NTA so these packets need to be port forwarded through the firewall to the Orion server to get to the flows to NTA. This is the reason you'll need to set the netflow destination on the Cisco router as the firewall itself. Ultimately these packets should be redirected/forwarded to the appropriate destination by the firewall so it's just semantics. 

0 Kudos