14 Replies Latest reply on Aug 12, 2010 5:17 AM by toms003

    can't get NetFlow data to start

    freemen

      I have installed NTA v3, SP4. Have followed the steps to designate a NF source from a Cisco 7206 router. I used the NetFlow Configurator to configure it. When I check the configuration, I see the ingress and egress commands, but I see nowhere in the configuration where it designates the IP address of my Orion server as the destination of the NF data. Also, no mention of the version of NetFlow being utilized.


      Then, on the NetFlow details page, I see traffic in and out values on a green interface, but under "date last received" it says NEVER. Cannot click on the interface to bring up an Interace Details view either. Also, on the Niode Details page, there is a resource for Top 10 NetFlow Sources by % Utilization. It is showing traffic for a bunch of interfaces. But, none of the interfaces appearing there are the ONE interface I designated on the Settings page as the source. How is that happening?


      I need some guidance on NTA. Thanks so much for any help.

        • Re: can't get NetFlow data to start
          freemen

          Really need urgent help on this one. Thanks.

            • Re: can't get NetFlow data to start
              Andy McBride

              Hi Freeman,


              Not too sure what is going on with this issue. I suggest opening a ticket and support can help you through it.


              Andy

                • Re: can't get NetFlow data to start
                  freemen

                  Thanks, Andy. I will do that if necessary. By the way, I can see by the ip route cache flow command on the router that it is set up to send NF data to the Orion server, and I can see the various NF stats. So, we are wondering if the packets are getting dropped somewhere on the network before getting to Orion.


                  Right now, I am setting up a "lab router" to make sure that NetFlow Configurator is setting up the NetFlow commands correctly so I can make sure that Orion is not the problem.

                    • Re: can't get NetFlow data to start
                      Andy McBride

                      Does sho ip flow export indicate the NTA server's IP address?

                        • Re: can't get NetFlow data to start
                          freemen

                          Yes, it does. But a show run command does not show a destination address for the Orion server in the configuration. Is that normal?

                            • Re: can't get NetFlow data to start
                              freemen

                              Andy,


                              Well, the NetFlow data started appearing on the website after the source router was rebooted. Does that make sense? Is ti possible that the configuration changes didn't take until the reboot?\


                              In any event, NetFlow data is now flowing on a production router. The lab router still has no data though. The last thinfg we did was connect the test router directly to the same switch that the Orion server is connected to. The hope was that we would be removing any network devices that might have been dropping the NF PDUs as they traverse the network between the router and the Orion server. However, still no data.


                              Thoughts?

                                • Re: can't get NetFlow data to start
                                  Andy McBride

                                  Quite odd. I have never needed to reboot to get flows to export but the ol' reboot has proven to have strange results before. Is the lab router similar in IOS and hdwe to production?

                                    • Re: can't get NetFlow data to start
                                      freemen

                                      Yes, they are essentially the same IOS version. May never figure this one out.


                                      I suppose at this point, I am just wondering what "checklist" I should keep handy to consult when the data does not immediately flow into Orion when I expect it to.

                                        • Re: can't get NetFlow data to start
                                          freemen

                                          Got an opinion on this Andy?

                                            • Re: can't get NetFlow data to start
                                              Andy McBride

                                              Oh, I've got tons of opinions!!  :)


                                              What I do is


                                              1. check to see that the source is listed in the NetFlow Sources Resource. and the the NetFlow receiver is up and on the correct port.


                                              2. check the NetFlow Events Resource to see if the flow is being received on an unmanaged node or IF If it is note that the node/IF is unmanaged go to Orion and add it.


                                              3. check that sql is up and healthy


                                              if it just looks like all is good with NTA but you don't see the data try capturing packets at the server IF and see if they are even making it to the receiver. This is easier than troubleshooting the exporter which varies with almost each make/model/IOS.


                                              Sometimes bouncing  the NetFlow service can work to if you have verified all else.

                                              • Re: can't get NetFlow data to start
                                                kweise

                                                One thing I've done in the past to see if the flow is actually reaching the Orion server is to grab a packet capture on the Orion server using Wireshark.  If it is actually making it to the server, you at least know the router is exporting the data properly. 

                                                In order for NTA module to receive and process the flow data, the source IP address of the router needs to match the IP address Orion is using to monitor the node.  If you are sourcing the NetFlow data from a different IP address than the one assigned to the node in Orion, the NTA module will never see the flow.  Another thing to check is to ensure that the interfaces that you've added your ip flow ingress or egress statements to (or ip route-cache flow statement for older versions of IOS) are being monitored in Orion.  If Orion isn't monitoring the interface, you'll get an error in the event log stating Orion is receiving netflow data for an interface that isn't being monitored.  It will give you the index number of the interface and tell you to add it to the node to be monitored. 

                                                Hope this is somewhat helpful.  Let us know if you see the flow data in your packet capture.

                                                  • Re: can't get NetFlow data to start
                                                    freemen

                                                    Thanks for the input all. One other question.. could rebooting the router have caused the config changes to enable NetFlow to kick in when the startup config loaded? Maybe the running config didn't actually effect the changes that were needed?


                                                    By the way, we never saw any error messages in Orion, and I had already verified the cource IP address  and that the interface was being monitored.


                                                    Just one of those strange things.