This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.

You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

NETFLOW information not being received on 1 interface

mazydizzle2K10 over 13 years ago

Hi all,

i have a cisco 6509 switch with several L3 interfaces all sending Netflow data to our Orion server.

I've added a new L3 interface, added the ip flow ingress/egress commands to the interface and I only seem to ever receive netflow data for about 1 minute at around 23:27 at night. It's really wierd, all other interfaces send data every minute of the day.

The only difference being is that the IP assigned to this interface is a public IP rather than private IPs that all exist in our LAN.

I have added this IP range in to the Netflow settings in Orion and I am seeing the "Data Last received" column as Never.

I did not set this all up myself, i have taken this on from a previous engineer.

Any help appreciated! I've done some searches in the forums but all the posts I have come accross are from users where NetFlow is not being recieved at all.

My problem is different where it is only a newly added L3 VLAN interface that is not sending netFlow data. All other interfaces are working fine.

I have simply coied the netflow interface config from a working interface in an attempt to get this netflow stream working.

thanks again!

Mario De Rosa

0 mcbridea over 13 years ago

have you added that new interface to NPM?
Cancel
Vote Up 0 Vote Down

Cancel
0 mazydizzle2K10 over 13 years ago

Hi,
These are the steps of what I did
1. create L3 interface and IP addressing
2. add ip flow ingress / egress commands
3. added new L3 int in NPM to be managed
4. In NetFlow settings, selected new L3 int to receive netflow traffic.
All interfaces are sending netflow data every minute, where as this new interface, it is advising that the last time netflow data was received was 23:27 at night.
Is there anything that I have missed do you think??

Mario
Cancel
Vote Up 0 Vote Down

Cancel
0 FormerMember over 13 years ago in reply to mazydizzle2K10

show ip cache flow at the switch.
if you see any DstIf as null than netflow won't be created for that flow. Probably process switched traffic.
Cancel
Vote Up 0 Vote Down

Cancel
0 mazydizzle2K10 over 13 years ago in reply to FormerMember

thanks for the reply.
i ran the following
sh ip cache flow | i vl198 and nothing appeared. I think the guys have stopped using that VLAN for the day now so I just got your message to late.
how long are these entries listed for?
also, do you know if there are any solar winds logs that i can inspect to get an idea if netflow data is being dropped by our NPM server?
thanks
Mario
Cancel
Vote Up 0 Vote Down

Cancel
0 mazydizzle2K10 over 13 years ago in reply to mazydizzle2K10

OK,
forget what I just said... the command was wrong. The good news is that the DstIf column is not null. I am running a continuous ping from a remote site to this L3 interface and the output is below...
TH_DC_core_02#sh ip cache flow | i Vl198
Vl198 67.226.192.234 Vl96 10.130.12.46 00 0000 0000 163
Vl91 10.130.12.46 Vl198 67.226.192.234 00 0000 0000 163
Hope this output helps!
Mario
Cancel
Vote Up 0 Vote Down

Cancel
0 mazydizzle2K10 over 13 years ago in reply to mazydizzle2K10

haha! i'm getting there!...
right, i can now see netflow data of the pings that I am running!!
So, you are correct pyro, it seems like the Video Conferencing traffic that this VLAN is used for is being process switched.
It's a pitty I cannot check at the moment as no one is using the system but I imagine that if i run the same command whilst there is a video conference going on, the DstIf would be null???
Time for me to read my CCNP books to refresh my memory about CEF etc...
Once i confirm what you advised about our video traffic being processed switched, i will consider the question answered!
thanks!!!
Mario
Cancel
Vote Up 0 Vote Down

Cancel
0 mazydizzle2K10 over 13 years ago in reply to mazydizzle2K10

Hi Pyro,
sorry to be the bearer of bad news but it appears that I can see traffic flows whilst a video conference is in progress. The output is below...
TH_DC_core_02#sh ip cache flow | i Vl198
Vl12             67.226.192.238   Vl198            67.226.192.234 00 0000 0000   201K
Vl198            67.226.192.234   Vl12             67.226.192.238 00 0000 0000   314K
TH_DC_core_02#sh ip cache flow | i Vl198
Vl12             67.226.192.238   Vl198            67.226.192.234 00 0000 0000   210K
Vl198            67.226.192.234   Vl12             67.226.192.238 00 0000 0000   331K
TH_DC_core_02#sh ip cache flow | i Vl198
Vl12             67.226.192.238   Vl198            67.226.192.234 00 0000 0000   344K
Vl198            67.226.192.234   Vl12             67.226.192.238 00 0000 0000   590K
Looking in NTA, it still says that the last data received is 23:27 last night.
Do you have any other ideas of what it could be?
Any more help appreciated!
Mario
Cancel
Vote Up 0 Vote Down

Cancel
0 dusak over 13 years ago in reply to mazydizzle2K10

Looks like this is what I experience as well, and still looking for solutions.
I am using Cisco 7209, I can see other interface netflow but one particular interface no netflow at all (confirm already add the command in the interface)
an on that interface, I can see it's being used since Bandwidth utilization above 10% only no netflow.
Hope someone can help with an ans

yamin
Cancel
Vote Up 0 Vote Down

Cancel
0 mcbridea over 13 years ago in reply to mazydizzle2K10

The protocol and port are zeros, indication L2 traffic only.
Cancel
Vote Up 0 Vote Down

Cancel
0 dusak over 13 years ago in reply to mcbridea

Hi Andy,

so what need to be configure to monitor netflow on the interface then ?
Cancel
Vote Up 0 Vote Down

Cancel