3 Replies Latest reply on Apr 13, 2009 8:35 AM by ebradford

    Not getting other domain info in Netflow

    ebradford

      I've been reading many of the netflow posts online here, but haven't found one that is satisfying this situation. Here are relevant lines (I think) from our 6509 config.

      interface Vlan1
       ip address 10.1.1.2 255.255.0.0
       ip flow ingress
       ip route-cache policy
      end

      All VLANS have "ip flow ingrress", not all have "route-cache policy". Here are the global settings:

      ip flow-export source Vlan1
      ip flow-export version 5
      ip flow-export destination [OrionIPaddr] 2055

      Orion is set-up to monitor the 6509 using 10.1.1.2 IP address, and all VLANs and physical interfaces. I have used show snmp mib ifmib ifindex to verify that the newest VLANs created on the 6509 are being monitored by Orion (that I haven't missed any). We are using Orion 9.1 sp3 and Netflow 3.0sp3.  Some IP flow information is verified being reported to Orion.

      This is the show ip flow export info:

      Flow export v5 is enabled for main cache
        Export source and destination details :
        VRF ID : Default
          Source(1)       10.1.1.2 (Vlan1)
          Destination(1)  [OrionIPaddr] (2055)
        Version 5 flow records
        4942560 flows exported in 216359 udp datagrams
        0 flows failed due to lack of export packet
        0 export packets were sent up to process level
        0 export packets were dropped due to no fib
        0 export packets were dropped due to adjacency issues
        0 export packets were dropped due to fragmentation failures
        0 export packets were dropped due to encapsulation fixup failures
        0 export packets were dropped enqueuing for the RP
        0 export packets were dropped due to IPC rate limiting
        0 export packets were dropped due to Card not being able to export

      Here is the beginning of sho ip cache flow:

      Displaying software-switched flow entries on the MSFC in Module 5:

      IP packet size distribution (6372958 total packets):
         1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480
         .001 .782 .082 .007 .004 .026 .003 .001 .001 .000 .001 .000 .001 .000 .000

          512  544  576 1024 1536 2048 2560 3072 3584 4096 4608
         .000 .000 .001 .001 .078 .000 .000 .000 .000 .000 .000

      IP Flow Switching Cache, 278544 bytes
        35 active, 4061 inactive, 10053212 added
        252220025 ager polls, 0 flow alloc failures
        Active flows timeout in 30 minutes
        Inactive flows timeout in 15 seconds
      IP Sub Flow Cache, 33992 bytes
        35 active, 989 inactive, 10052402 added, 10052402 added to flow
        1622 alloc failures, 198 force free
        1 chunk, 7 chunks added
        last clearing of statistics never
      Protocol         Total    Flows   Packets Bytes  Packets Active(Sec) Idle(Sec)
      --------         Flows     /Sec     /Flow  /Pkt     /Sec     /Flow     /Flow
      TCP-Telnet         297      0.0       108    41      0.0      15.0      14.8
      TCP-FTP            240      0.0         7    56      0.0       1.5       5.5
      TCP-WWW         108714      0.0         1   180      0.0       0.0      13.4
      TCP-SMTP           293      0.0       123  1156      0.0       2.9       2.6
      TCP-X                1      0.0         1    52      0.0       0.0      15.0
      TCP-other      4600720      1.1         1   180      1.3       0.0      15.4
      UDP-DNS           2710      0.0         1    64      0.0       0.2      15.4
      UDP-NTP          68764      0.0         1    76      0.0       0.0      15.5
      UDP-TFTP            96      0.0         2    59      0.0       4.2      15.5
      UDP-other        99694      0.0         4   102      0.1       4.5      15.4
      ICMP             61795      0.0         4   122      0.0       1.9      15.4
      IGMP                 6      0.0         1    35      0.0       1.9      15.6
      GRE                 10      0.0         6   131      0.0       4.5      15.7
      IP-other            57      0.0      1628    40      0.0    1741.2       1.0
      Total:         4943397      1.2         1   174      1.6       0.1      15.3

      So you can see that flows are being created. Orion is receiving flow information. for example, from the top-5 Applications:

      ApplicationTotal BytesTotal PacketsPercent
      Port 992 telnet protocol over TLS/SSL (992) 12.3 Gbytes25.5679 M packets59.27%

      But, under top 5 domains, only a single domain -- our internal domain -- is being listed, despite that I know we have cross-domain traffic. There are other informational items that are missing... a huge file (45 MB) was transferred from a VLAN 1 computer to another branch, but that conversation is not showing up under top XX conversations (even though a conversation of just 110KB does make the list).

      Does anyone have any idea why some flow data would be respresented, but not all of it?

      Thanks, Eric

        • Re: Not getting other domain info in Netflow

          The domain resolution is done via Windows DNS resolution within the NTA collector.  For a given address that isn't resolving to a domain that you expect, go to the command-line on the NTA collector machine, and verify that you can get a reverse DNS resolution for that address:

          nslookup <some IP address>

          If you don't get a resolution to the domain you expect, then you have a DNS resolution issue, and may need to adjust the config for your DNS server(s).

          • Re: Not getting other domain info in Netflow
            jswan

            You might need the "mls nde sender version 5" command. Without this, all my data plane flows were exported as verion 7.

            • Re: Not getting other domain info in Netflow
              ebradford

              Just a follow-up. The issue has been resolved for a good while now... I was waiting to see if the problem would come back. The issue has some support as a DNS issue, as our third and fourth DNS servers went down that day (among some other systems). However, our primary and secondary DNS servers were still working; our SolarWinds server is configured to the the primary and secondary.

              Since the problem kind of healed itself, it seems related to whatever the problem was that cause the outtages, if not caused by the 3rd & 4th DNS server outtage.

              Thanks for the suggestions.