• State Not Answered
  • Locked Locked
  • Replies 11 replies
  • Subscribers 24 subscribers
  • Views 1548 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Problems with NetFlow

SW4141
I am a BIG orion fan. and desperately want to buy the product. we are a cisco shop and have followed all cisco and solar winds instructions and suggestions from the forums, there is NO consistant performance from this product. sometimes we see 2 routers reporting, sometimes we see 10 sometimes none. with NO changes to our environment. we have done clean installs on new servers, added the netflow add on to our production orion server... no luck. we have demos or some other flow analizers and they do work with our cisco 2811's etc. we would prefer to stay in the orion family and have a leveraged install, but can get NO help from support on our install even though we are an existing orion client with an unlimited license. Can ANYONE help us?
  • 0
    Hello SW4141,
    I'm very glad to hear that you're a big fan of Orion but I'm sorry to hear that you're having trouble with the NetFlow product and that you haven't gotten the answers that you need from tech support. We've had a bit of an ice storm in Tulsa and since most of of the Tier 2/3 guys are in Tulsa this week, they are a bit shorthanded.

    There are a couple of things that could be causing the symptoms that you describe. First, the "NetFlow Sources" resource on the default view of the NetFlow Traffic Analyzer homepage only displays sources that Orion has received NetFlow records from in the last 15 minutes (I don't have the code in front of me, so it could be 10 mintues). If either a) the links that you're analyzing don't have a lot of traffic on them or b) they routers are configured with a long delay in between flow exports, the routers may "disappear" from this list periodically.

    Secondly, it's possible that data is being dropped either between your routers and the NetFlow receiver or between the NetFlow receiver and your SQL server (most likely).

    You can review the install directory for NetFlow and the Windows Event Logs to see if there are any errors related to database connectivity.

    One test that I would recommend that you run would be to visit the NetFlow Inteface Details view for one of your managed interfaces with NetFlow enabled when this interface/router is NOT listed on the NetFlow sources view to see if you have valid data in this other view.

    Please let us know how we can help. Sometimes the best way to troubleshoot these issues is for us to login to your server remotely and see the issue first hand and and compare it to the raw data being received and the data being logged to the database.

    Sincerely,
    Josh Stephens
    SolarWinds R&D
  • 0
    quote:Originally posted by Josh Stephens

    First, the "NetFlow Sources" resource on the default view of the NetFlow Traffic Analyzer homepage only displays sources that Orion has received NetFlow records from in the last 15 minutes (I don't have the code in front of me, so it could be 10 mintues).

    SolarWinds R&D



    SW, it's actually supposed to display active sources for the last 5 minutes, anyone who has Orion Net Flow Traffic Analyser installed can see that as it's printed at the top of the web interface!

    quote:Originally posted by Josh Stephens
    Secondly, it's possible that data is being dropped either between your routers and the NetFlow receiver or between the NetFlow receiver and your SQL server (most likely).

    One test that I would recommend that you run would be to visit the NetFlow Inteface Details view for one of your managed interfaces with NetFlow enabled when this interface/router is NOT listed on the NetFlow sources view to see if you have valid data in this other view.


    Surely you need to see if your router is pumping out netflow stats at the particular time it is not listed.
    You can use something like:
    sho ip cache flow
    sho ip flow export
    sho mls nde
    on your routers to determine flows and the export of them.

    Have you noticed a performance hit since installing Netflow? If so the it may well be your set up is OK, it's just the Net FLow application has issues.
  • 0
    quote:Originally posted by Josh Stephens
    There are a couple of things that could be causing the symptoms that you describe. First, the "NetFlow Sources" resource on the default view of the NetFlow Traffic Analyzer homepage only displays sources that Orion has received NetFlow records from in the last 15 minutes (I don't have the code in front of me, so it could be 10 mintues). If either a) the links that you're analyzing don't have a lot of traffic on them or b) they routers are configured with a long delay in between flow exports, the routers may "disappear" from this list periodically.
    ds R&D

    This setting is configurable. Click the Edit button in the Active NetFlow Sources resource header. You can then set the timeframe for how far back to look for active sources. The default is 5 minutes. Try increasing this to 15 minutes and see if that helps.


    David Perdue
    SolarWinds Development Team
  • 0
    First –
    “Thank you” to everyone for your responses.

    Now from what I am “getting” from these comments is, “Orion Netflow Analyzer only shows the active flows for the past X minutes”. I think that would be GREAT if it would do that.

    A little bit about our layout, we 16 remote offices in a hub and spoke layout, with HQ as our hub. So at HQ we have 2 primary hubs, 1 a frame relay network (serving 6 offices) and the other an MPLS cloud (serving 10 offices). So from what I am being told, I would expect to always see at least the hub routers. I know from other products that we are testing, that traffic is always flowing through those routers. I have never seen the MPLS router show and the Frame Router shows “when it feels like it”.

    To the time frame setting comment –
    We have tried everything from 5 minutes out to 1 hour. We get even less information the larger the time frame!?!

    To the SQL comment –
    Orion and MS-SQL are running on the same server. That server is a dual 4gig Xeon processor with 8 gig ram. The database is stored on a local 170gig 4 drive raid 5 array. In our monitoring of the server CPU has not gone over 40%. The database size is only 7.8 gig, at this time.

    To the comment “SW, it's actually supposed to display active sources for the last 5 minutes, anyone who has Orion Net Flow Traffic Analyser installed can see that as it's printed at the top of the web interface!”

    I wish it would show me that information! The main problem seems to be that there is no consistency as to when a device will or won’t show. Again I know there is traffic flowing through our primary routers at all times.

    Again I WANT this to work, I am not trying to shot it down. But other products like “ManageEngine Netflow Analyzer 5”, do show the flows of all the routers with all their interface and history.

    Maybe after things get back to "normal" someone from Solarwinds would contact us. I will be the first to admit that I might have something set up wrong, please show me.

    Again thank you for your comments.
  • 0
    To help trouble shoot this problem we have set up the routers to send information to two analyzers, one being Orion Netflow and the other being ManageEngine Netflow Analyzer 5. Both of the analyzers are on the same subnet and same infrastructure.

    Data and information is being displayed with the ManageEngine product but not with the Solarwinds product.

  • 0
    I am sorry if my tone has offended anyone, i really do need the help of the group. my problem is really that this is not my first time at the prom. i have netflow WORKING in my environment. other product demo's work and show expected results. additionally all the demo/eval boxes are on the same net. listening to the same flow info from the same routers with no firewalls etc between the flow boxes and the routers in question so we can do a head to head comparison. i know that the routers are configured correctly. i just cant get orion to display the information it is recieving.
    my cisco config for netflow is pretty much the same everywhere. and here it is:
    !
    !
    ip cef
    !
    ip flow-cache timeout active 1
    !
    interface FastEthernet0/0
    ip route-cache flow
    !
    interface Serial0/0/0
    ip route-cache flow
    ip flow-export source Serial0/0/0
    !
    ip flow-export version 5
    ip flow-export destination 172.25.99.221 2055
    ip flow-export destination 172.25.99.222 2055
    !
    (172.25.99.222 is our orion box, 172.25.99.221 is our Neteval2 box currently running ManageEngines' NetFlow Analyzer5)

  • 0
    Are the flow services installed and running? are you using the same TCP port on the Orion server as in your router config (ie 2055)?
  • 0
    Yes. the port is correct and the routers werify good flow data export with the show ip flow export command:

    sho ip flow export
    Flow export v5 is enabled for main cache
    Exporting flows to 172.25.99.221 (2055) 172.25.99.222 (2055)
    Exporting using source interface FastEthernet1/0
    Version 5 flow records
    383233807 flows exported in 12774462 udp datagrams
    0 flows failed due to lack of export packet
    5 export packets were sent up to process level
    0 export packets were dropped due to no fib
    11 export packets were dropped due to adjacency issues
    0 export packets were dropped due to fragmentation failures
    0 export packets were dropped due to encapsulation fixup failures

    Additionally the other products we are evaluating show the data fine. only one prodict at a time is installed on any one server. we just are not having much luck with orion's netflow plug in.
  • 0
    One of my customer have exactly the same issue. I already send the request include Screen Capture to support but until today still have not receive any reply yet. I hope this issue can be solve ASAP.

    Kenny Lai
  • 0
    I see something that may be an issue:

    quote:Exporting flows to 172.25.99.221 (2055) 172.25.99.222 (2055)
    Exporting using source interface FastEthernet1/0


    You should be using the Loopback interface for Orion monitoring, as well as the source interface for your Netflow exports. In this case you are using the Fa1/0 interface, which is not recommended.
    Just make sure Orion & Netflow are using the same interface....



    -=Cheers=-
    NG

    ~seek & ye shall find---> [url="http://www4.solarwinds.net/SolarWindsForum/search.asp"] <---no need to wait for answers~

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.