• State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 24 subscribers
  • Views 1226 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

receiving a NetFlow data stream from an unmanaged interface

kdalgaard

Hi,

I have setup netflow on two cisco devices, one cisco6506 with sup720 and one cisco7604 with sup720.

software on cisco6506 sup720: 122-33.SXI

software on cisco7604 sup720:122-33.SRC2

 

NetFlow Traffic Analyzer version: 3.5 SP1

NPM 9.5

 

Between these units i have a single fiber cable, running layer3 bewteen them. Each of the devices has several layer3 interface, where some of them are to other locations. And I want to netflow monitor all traffic over this link.

I also have a redundant setup, but this is not importan know.

In a test setup, I have added only these two devices, and added the physical and the logical (vlan) interface to the NPM. In the NTA I have added only the logical interface in this case vlan1107.

My Cisco netflow configuration on both units looks like this:

mls netflow interface
mls flow ip interface-full
!
ip flow ingress layer2-switched vlan 1107 (I know, this is only if you want layer2 traffic, and in this case i am running layer3 )                        
!
mls nde sender
mls nde interface (default at cisco, NOT shown in configuration)
!                       
ip flow-export source Loopback1
ip flow-export version 5                     
ip flow-export destination 10.73.23.20 2055
mls aging long 64
mls aging normal 64
!                       
intervlan 1107
  ip flow ingress
  ip route-cache flow (default at cisco6500, NOT shown in configuration)


I get these error mesages:                       

NetFlow Receiver Service [xxxxxx] is receiving a NetFlow data stream from an unmanaged interface on x.x.x.x. The NetFlow data stream will be discarded. Please follow the link x.x.x.x or use the Orion System Manager to add Interface '#64' in order to process this NetFlow data stream.

And because of this error messages, my netflow traffic is discarded. The only traffic I see, are Management traffic wich are going directly to the interface.

In my cisco netflow table, I can see all my traffic.

 

I'am getting the error messages from all my layer3 interfaces. And I have double check that these SNMP IF indexs really exist on my router :)

show snmp mib ifmib ifindex

I can see that several others here om thwack, have simular problems, but I haven't found the solution yet. Maybe I haven't search well enourgh???

 

I can make the error-messages to disappear in two ways:

1: Add all my logical interfaces to my NTA!!! But can this truly be wright??

2: I can enable: "Monitoring of flows from unmanaged interfaces" in the NTA!!! But what is the consequence of this??

Is there a third way?

Or is it because I am doing something wrong (proberly)!!!!

 

Thanks

Kenneth

  • 0

    The issue may be that traffic is flowing through other unmanaged interfaces on your switches to the one managed interface that is exporting flows.

    I would suggest enabling "monitoring of flows for unmanaged interfaces".   The consequence of this is that if at least one of the interfaces contained in the flow is managed, the NetFlow data should not be dropped.

  • 0

    I asked the same question a while back and was told to the messages can not be blocked. I am monitoring flows on my t1 circuit, data vlan, and voice vlan. I get a message that it is receiving flows from the loopback interface. if i change to monitor the loopback, i get messages saying that it is getting flows from T1, data, and voice vlans. Either way i get the same info in the flow, but i get less messages the first way. I have yet to find a way to stop that message.

  • 0 in reply to chris.lapoint

    Hi Chris

    Thanks for your reply..

    This is also the conlusion that I have reached. And I know that I can use the "monitoring of flows of unmangede interfaces", So this will proberly be my solution.

    Do you know how the netflow engine react, if "someone" in our organisation, have configure another router to send netflow packets to NTA, and this router is not in the NPM and we don't want to recieved netflow from this router. Will these packets be discardet???

    What I worry about here is that the Data the NTA is giving me are'nt correct?

    I have been sniffing my netflow packets, and I can se da my source snmp interface index is always #50, witch matches my vlan 1107 where I have my "ip flow ingress" on.

    But my destination snmp interface index various depanding where the traffic is going. This should be normal behavier for netflow packets.

    So the traffic I'm recieving are always flowing throug my "managed inteface" which are netflow enable om my router and to one of my destination interfaces.

    I suspect the Solarwinds Netflow engine to look at these destination snmp interface index, and if the destination snmp interface index is not manage it will create a "unmanaged interface" error and discard the packet, I'm I totatlly wrong here????

    Or is there another explanation on this?

    Thanks

    Kenneth

  • 0 in reply to chris.lapoint

    Turning on monitoring of flows for unmanaged interfaces does allow you to monitor the flows from those interfaces, but you will still have the error messages saying that you are recieving flow from unmanaged interfaces. Also, you want to be careful about which interfaces you pull flows from, as you can start getting double data. Example would be monitoring the serial interface of a router and the data sub interface of the ethernet, you will get any data from the ethernet interface + you will get the same data as it passes through the serial interface and it will throw your numbers off.

  • 0 in reply to r0berth1

    Just FYI, we're working on fixing the extraneous event log entry issue.   If you have "monitoring of flows from unmanaged interfaces" option enabled, we'll suppress the "flows from unmanaged interface detected" event log entries since you have explicitly agreed that this behavior is acceptable.

  • 0 in reply to chris.lapoint

    Hi...

    Besides this thread I have also created a Ticket at SolarWinds, and I got this answer

    Error [received traffic from unmanaged interface] means, that one of interface in flow is not managed by Orion, so we can't map interfaceIndex to InterfaceID. By default we require both interfaces be managed by Orion. If user don't want to manage all interfaces for some reason, he need to enable option [Monitoring of flows from unmanaged interfaces] in NTA admin section. Than all unmanaged interface indexes will be replaced by zero and warning message that we drop traffic will be fired only in case, that both interfaces in flow are unmanaged by Orion."

    I know now that my NTA is "working as designed" emoticons_happy.png

    And in my case, as earlier told, I will go with "Monitoring of flows from unmanaged interfaces".

    Thank you all, for your replies

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.