I am running Orion v9 and NetFlow 3.0 SP1.
For the NetFlow source interface (which is already being managed by Orion), I see values for Traffic In and Traffic Out, but under Last Data Received it says 'Never".
What is going on? Should I rerun the NetFlow configuration commands on the Cisco 2811 source router?
Thanks for any help.
I would first suggest that you use a sniffer like WireShark on the machine with the NTA service and verify that you are receiving the NetFlow traffic. If so, verify that the port that it is coming in on is the same that the NTA service is listening on (default 2055).
Also, on the NTA home page are you receiving any alerts indicating that the NTA service is receiving NetFlow traffic, but maybe on another unmonitored interface?
Here is a list of suggestions I posted in another thread for a user that was having a similar issue with Netflow:
Are you getting any messages on the Netflow page on the Last 25 Events resource saying that you are getting data from an unmanaged resource? When you get this message it means that you are getting the data but it's coming from an IP address that is not being monitored in the Orion System Manager. If this is the case then there are two options to start getting the Netlfow data. First, change the managed IP address in the Orion System Manager to match the IP address of where the Netflow source is. Or run a command on the Cisco device that changes the source IP address of the Netflow data. The command should be something like: ip flow-export source (IP Address)
If this is not the case then go to the Run command and type in perfmon and click the + button at the top. Then change the counters to SolarWinds and add all the SolarWinds counters. Once you are back at the graph click the button titled "View Report" and this should give you a text value of the graph. The values you will want to look at are PDU Dropped Unmanaged Interface and PDU Dropped Unmonitored Interface. If they are counting up then Netflow is getting the data but throwing the packets away. If the values are counting then try restarting the Netflow service and if this doesn't work then please open a support ticket so we can investigate further.
However, if the PDU Dropped values are not counting and you are not getting the Event messages stating that you are getting Netflow data from an unmanaged resource then you will want to run a sniffer trace just to make sure that the Netflow data isn't getting blocked by a firewall.
I hope this helps.
It did help, but I am still getting no data.
i did verify that port 2055 is allowed through the firewall. I ran Perfmon and saw no incrementing of the referenced counters.
I then used the NetFlow configurator to make sure that the NetFlow commands were run correctly on the Cisco 2811.
Could it be the interface that was chosen to monitor is the wrong type or is not passing NetFlow data in the first place?
Since the Perfmon counters are not incrementing I would recommend running a packet capture from the Orion machine to make sure the Netflow data is making it to the server. If the Netflow data is not making it then it is being sent to the wrong location or being blocked. However, if the Netflow data is getting to the server then its an issue with either the type of Netflow data or how it is encapsulated. If you are showing Netflow data in the packet capture and the Perfmon counters are not incrementing then please open a support case with the packet capture attached.
4500's and 6500's have an issue where they send out the Netflow data but does not send out the index. Try these commands on the device:
Commands from Cisco TAC:
ip route-cache flow infer-fields
ip flow ingress infer-fields
ip flow ingress layer2-switched
ip flow-cache timeout inactive 45
ip flow-export source GigabitEthernet3/4
ip flow-export version 5
ip flow-export destination Orion server IP address 2055
If this does not work then I would recommend opening a case with support.
Massive thread gravedig here...
I'm trying to get Netflow working also. Server is Windows 2008, latest version of NCM, NTA, and NPM freshly installed.
Windows firewall is disabled (for now).
We have a variety of routers at our remote sites that connect back to National Office here via VPN. I can ping the NTA server successfully from these routers (via VLAN1 which sends the traffic over the VPN link).
The router appears in NetFlow Sources, but "Last Netflow Received" says "Never". I can see the % utilization on the links though, so SNMP is working OK.
Here is an extract of the router config (Cisco 877) from the site. Site IP range is 10.10.2.0/24, and the NTA/NPM/NCM server IP is 10.10.20.26, default port 2055.
!
interface Vlan1
description Internal Network
ip address 10.10.2.254 255.255.255.0
ip inspect Inspect_Outbound out
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
interface Dialer0
description **** Connection to ISP ****
ip address <blanked out> 255.255.255.0
ip access-group INTERNET-IN in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname <blanked out>
ppp chap password <blanked out>
crypto map mymap
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip flow-export source Vlan1
ip flow-export version 9
ip flow-export destination 10.10.20.26 2055
ip flow-aggregation cache protocol-port
cache entries 2046
cache timeout inactive 199
cache timeout active 45
enabled
!
If I do a show ip flow export
I get this:
Flow export v9 is enabled for main cache
Export source and destination details :
VRF ID : Default
Source(1) 10.10.2.254 (Vlan1)
Destination(1) 10.10.20.26 (2055)
Version 9 flow records
Cache for protocol-port aggregation:
Flow export is disabled
45000 flows exported in 5103 udp datagrams
0 flows failed due to lack of export packet
2 export packets were sent up to process level
0 export packets were dropped due to no fib
0 export packets were dropped due to adjacency issues
0 export packets were dropped due to fragmentation failures
0 export packets were dropped due to encapsulation fixup failures
Not sure if the cache stuff in the config is correct either. I'm a bit of a Cisco n00b so any help would be appreciated :)
I found this link, looks like I missed out the egress and ingress stuff. I've updated the router config but so far no change.
The Windows 2008 installation is running on a virtual server which a contact of mine says could be the issue, she is having similar problems.
I'll try downloading this:
And see if it can pick up any netflow traffic on my laptop when I point the traffic at the laptop instead of NTA.
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.
