Flows stop after circuit bounces.

I have seen that. I reloaded the router and it started sending flows again. I did not try re-entering the netflow configs but obviously that is less intrusive. I would do a packet capture on the NTA server and see if the flows for that interface are halting when the interface comes back up. If that is the case then TAC would be your next step.

cant do a packet capture on that server that would show anything useful, it is a VM. I have tried that several times but nothing that stands out.

Seeing as it restarts when the config is changed I'd say it is a problem in the device.

I have run a few packet captures on the Orion box and checked the show ip  flow export and noticed that if the circuit drops for 3 min, the router is still exporting flows,  but NTA now sees the flows coming from the Lo0 port instead of the S0/0/0 and because the device is not added to orion by the Lo0 ip it is blocking the flows. the only way to fix it is either typing in ip flow-export source s0/0/0 again on the router or rebooting the router.

i have changed the config of my routers and now just waiting on the next circuit drop to see if any of that fixed the problem. the config used to look like:

ip flow-export source s0/0/0

ip flow-export version 5

ip flow-export destination 0.0.0.0 000 (ip and port removed for security :-))

int s0/0/0

ip route-cache flow

now it looks like:

ip flow-export source s0/0/0

ip flow-export version 5

ip flow-export destination 0.0.0.0 000 (removed again :-))

ip flow-cache timeout active 1

ip flow-cache timeout inactive 15

snmp-server ifindex persist

int s0/0/0

ip route-cache flow

I doubt that this will fix the problem and since i am not able to get flow working by changing the device IPs in orion to be the Lo0 ips and changing the ip flow-export source to Lo0 i guess that i will just have to deal with going to each router that dies and typing in the ip flow-export source s0/0/0 every time a circuit dies for longer than 3 min.

All routers are Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 12.4(7a), RELEASE SOFTWARE (fc3)

As I suspected, this did not fix the problem. Guess i will try to change a few devices to be monitored by the Lo0 ip and see what happens.

Hi Robert. Thanks for the update and sorry it didn't work. Could you keep us posted on your progress?

Thx,

M

I will keep the updates coming. I did change several of the branches that drop often to the monitoring by LoO IP. Just a matter of time before one drops again. I will post the results here.

Awesome, thanks!

M

This is for my Cisco 2811s. I am still working on the 6509 configs.

While I wait for another drop, here is how I currently have it set up:

1. I added the devices to Orion NPM by the Loopback IP Address.

2. Setup NetFlow as follows:

  a. For the sub-interface on the S0/0/0, I entered the following commands:

     a1. ip flow ingress

     a2. ip flow egress

     a3. ip route-cache flow

  b. in global config

     b1 ip flow-export source S0/0/0

     b2. ip flow-export version 9 (you can use v5 if you want).

     b3. ip flow-export destination 0.0.0.0 0000 (ip and port removed for safety).

 c. setup netflow to monitor the s0/0/0 interface.

None of that worked. I think that i am just going to disable netflow because i am tired of fighting it.