18 Replies Latest reply on Mar 21, 2011 11:55 AM by jswan

    Configuration Issues - NTA / Netflow on Outside Cisco Devices

    adamtodd16

      I have been reading these forums the past few days and trying different solutions, but haven't been able to get NTA working on any outside devices.

      Our core network is behind a Cisco 2951 - Netflow is working perfectly on this device.

      All other devices are configured to send Netflow data back to a collector that is behind the 2951. I have tried this on 881, 2911, 2901 and still having the same issue:  Last Received Netflow: Never.

      I am using the exact same netflow config as on the 2951:

      ip flow-export source fastethernet0/0.130 (DATA sub interface)
      ip flow-export version 9
      ip flow-export destination 10.1.200.63 2055 (server + port are correct)

      interface fastethernet0/0.130
       ip flow egress
       ip flow ingress
       ip route-cache flow

      Am I missing anything or anything I can try t get this going?

        • Re: Configuration Issues - NTA / Netflow on Outside Cisco Devices
          pyro13g

          Run a sniffer on the NTA server to see if the flows from the other devices are making it to the server.

           

          If not, make sure no ACL/Firewall on your 2951 is blocking it.

           

          If not blocking,  sh ip cache flow on on one of the devices NTA is not receiving from.  Does the table show flows?  If so, is the Dstif show as Null?  If so you have somthing on the devices causing packets to be processed switched.  Those flows will not be sent

            • Re: Configuration Issues - NTA / Netflow on Outside Cisco Devices
              adamtodd16

              Thank you for the reply. I added an explicit ACL to make sure UDP was allowed through to the server.

               

              This is the result of sh ip cache flow:

               

              C2801-ACC01#show ip cache flow
              IP packet size distribution (498630 total packets):
                 1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480
                 .000 .576 .077 .058 .047 .015 .013 .010 .007 .005 .005 .004 .003 .002 .003

                  512  544  576 1024 1536 2048 2560 3072 3584 4096 4608
                 .003 .002 .002 .030 .128 .000 .000 .000 .000 .000 .000

              IP Flow Switching Cache, 278544 bytes
                25 active, 4071 inactive, 36897 added
                700387 ager polls, 0 flow alloc failures
                Active flows timeout in 1 minutes
                Inactive flows timeout in 15 seconds
              IP Sub Flow Cache, 34056 bytes
                25 active, 999 inactive, 36897 added, 36897 added to flow
                0 alloc failures, 0 force free
                1 chunk, 1 chunk added
                last clearing of statistics never


              Protocol         Total    Flows   Packets Bytes  Packets Active(Sec) Idle(Sec)
              --------         Flows     /Sec     /Flow  /Pkt     /Sec     /Flow     /Flow
              TCP-WWW           5540      0.0         3   620      0.0       0.0      15.3
              TCP-SMTP            56      0.0        83   738      0.0       2.5       1.5
              TCP-other        21362      0.0        21   246      0.6       4.1      11.9
              UDP-DNS           2257      0.0         1    68      0.0       0.1      15.4
              UDP-NTP            106      0.0         1    96      0.0       0.0      15.4
              UDP-other         6620      0.0         1   135      0.0       4.1      15.4
              ICMP               936      0.0         1   141      0.0       0.7      15.4
              Total:           36877      0.0        13   263      0.7       3.1      13.3

              SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts
              Fa0/1.130     10.10.130.93    Fa0/0         10.1.200.70     06 C05E 0D3D    46
              Fa0/0         10.1.200.70     Fa0/1.130*    10.10.130.90    06 0D3D 0472    37
              Fa0/0         10.1.200.70     Fa0/1.130*    10.10.130.78    06 0D3D 040D   160
              Fa0/0         10.1.200.75     Fa0/1.130*    10.10.130.84    06 01BB EAE8     3
              Fa0/1.130     10.10.130.86    Fa0/0         10.10.160.35    11 F1D3 00A1     1
              Fa0/0         10.1.200.70     Fa0/1.130*    10.10.130.83    06 0D3D 0672    79
              Fa0/1.130     10.10.130.93    Fa0/0         74.48.159.151   06 C08B 0050     1
              Fa0/1.130     10.10.130.93    Fa0/0         74.48.159.151   06 C08C 0050     1
              Fa0/1.130     10.10.130.90    Fa0/0         10.1.200.70     06 0472 0D3D    23
              Fa0/1.130     10.10.130.78    Fa0/0         10.1.200.70     06 040D 0D3D   153
              Fa0/0         10.1.200.70     Fa0/1.130*    10.10.130.93    06 0D3D C05E    38
              Fa0/1.130     10.10.130.83    Fa0/0         10.1.200.70     06 0672 0D3D    81
              Fa0/1.130     10.10.130.84    Fa0/0         10.1.200.75     06 EAE8 01BB     1
              Fa0/1.130     10.10.130.84    Fa0/0         10.1.200.61     06 D1D0 04B6     4
              Fa0/1.130     10.10.130.84    Fa0/0         10.1.200.61     06 D1CE 04B6     6
              Fa0/0         74.48.159.151   Fa0/1.130*    10.10.130.93    06 0050 C08C     1
              Fa0/1.130     10.10.130.86    Fa0/0         10.1.200.70     06 E8B9 0D3D   405

              SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts
              Fa0/0         74.48.159.151   Fa0/1.130*    10.10.130.93    06 0050 C08B     1
              Fa0/0         10.1.200.63     Fa0/1.130*    10.10.130.84    06 2152 C116    13
              Fa0/0         10.1.200.50     Fa0/1.130*    10.10.130.84    11 0035 F784     1
              Fa0/0         10.1.200.61     Fa0/1.130*    10.10.130.87    06 04B6 045B     1
              Fa0/0         10.1.200.61     Fa0/1.130*    10.10.130.87    06 04B6 045F    25
              Fa0/1.130     10.10.130.87    Fa0/0         10.1.200.51     11 007B 007B     1
              Fa0/0         10.1.200.50     Fa0/1.130*    10.10.130.26    11 0035 8504     3
              Fa0/1.130     10.10.130.90    Fa0/0         94.226.222.241  06 0489 1732     2
              Fa0/1.130     10.10.130.86    Fa0/0         10.10.120.26    11 F1D3 00A1     3
              Fa0/1.130     10.10.130.85    Null          255.255.255.255 11 0044 0043     1
              Fa0/1.130     10.10.130.84    Null          255.255.255.255 11 0044 0043     1
              Fa0/0         10.1.200.61     Fa0/1.130*    10.10.130.84    06 04B6 D1D0    35
              Fa0/0         94.226.222.241  Fa0/1.130*    10.10.130.90    06 1732 0489     1
              Fa0/1.130     10.10.130.84    Fa0/0         10.1.200.63     06 C116 2152    29
              Fa0/0         128.119.165.158 Fa0/1.130*    10.10.130.75    06 1732 06B5     1
              Fa0/0         10.1.200.70     Fa0/1.130*    10.10.130.86    06 0D3D E8B9    39
              Fa0/1.130     10.10.130.87    Fa0/0         10.1.200.61     06 045F 04B6    27
              Fa0/1.130     10.10.130.87    Fa0/0         10.1.200.61     06 045B 04B6     1
              Fa0/1.130     10.10.130.84    Fa0/0         10.1.200.50     11 F784 0035     1
              Fa0/0         10.1.200.51     Fa0/1.130*    10.10.130.87    11 007B 007B     1
              Fa0/1.130     10.10.130.78    Fa0/0         10.10.120.26    11 0402 00A1     2
              Fa0/1.130     10.10.130.85    Null          10.10.130.255   11 0089 0089     3
              Fa0/1.130     10.10.130.84    Null          10.10.130.255   11 0089 0089     3

              SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts
              Fa0/1.130     10.10.130.78    Fa0/0         10.10.1.240     06 0639 238C     2

                • Re: Configuration Issues - NTA / Netflow on Outside Cisco Devices
                  mavturner

                  adamtodd16,

                   

                  What does a 'show ip flow export' show? Does the export counter increase every time you run that command? Does the correct destination address show for the collector (any NAT issues?). 

                   

                  As pyro13g recommended, the best way to check if the flows are getting to the NTA server is to run a sniffer (wireshark) and see if the flows are showing up. You can use a simply display filter of 'cflow' to limit the amount of data, then see if you have any data from your device that is having a problem. 

                  Also, do you have any errors in the NTA event log? For example, recieving flows from unmanaged device? If so, it's possible the flows are showing up from a different address than you expect (again, could be a NAT issue or your source IP is not the same as the IP you are managing the node with in NTA).

                   

                  Mav

                    • Re: Configuration Issues - NTA / Netflow on Outside Cisco Devices
                      adamtodd16

                      Thanks Mav.

                      Show ip flow export shows an increasing counter and no errors. Source and Destination are both correct.

                      I just did a wireshark capture on my collector service. The only source I am seeing is my firewall. The outside routers are not registering.

                      Anything else I can check on??

                        • Re: Configuration Issues - NTA / Netflow on Outside Cisco Devices
                          jswan

                          Most edge routers are configured to do dynamic NAT (aka PAT) on the outside interface. If this is the case with yours, you'll need to configure a static NAT translation on the edge router for the outside devices to talk to the NTA server. It's not enough to just allow the NDE packets through the ACL unless you're not doing NAT.

                            • Re: Configuration Issues - NTA / Netflow on Outside Cisco Devices
                              adamtodd16

                              Thanks for that.

                              Can you give me an example of how I should write the dynamic PAT and what my destination address would become for NetFlow?

                                • Re: Configuration Issues - NTA / Netflow on Outside Cisco Devices
                                  jswan

                                  OK, let's first make sure I've got the topology right:

                                  OutsideExporters---EdgeRouter---insideNetwork---NTA Server

                                  Is that correct? In other words, you have NetFlow exporters outside your network and you want to get the NDE traffic through the edge router?

                                  If so, you'll want something like this on your edge router:

                                  ip nat inside source static 10.1.1.1 192.0.2.1

                                  where you substitute the IP address of the NTA server for 10.1.1.1, and the IP address of an available public address on your outside interface for 192.0.2.1.

                                  Then you'll need something like the following in the ACL on your outside interface:

                                  ip access-list extended OUTSIDE_TO_INSIDE
                                   permit udp host 192.0.2.10 host 192.0.2.1 eq 2055

                                  where 192.0.0.10 is the NetFlow source address of the outside exporter. So, your config might look something like this (simplified, of course):

                                  interface fastEthernet0/0
                                   description outside interface
                                   ip address 192.0.2.1 255.255.255.248
                                   ip access-group OUTSIDE_TO_INSIDE in
                                   ip nat outside
                                   ip inspect MY_IOS_FIREWALL out

                                  interface fastEthernet0/1
                                   description inside interface
                                   ip nat inside
                                   ip address 10.1.1.254 255.255.255.0

                                  ip nat inside source static 10.1.1.1 192.0.2.1
                                  ip nat inside source list NAT_LIST interface fastEthernet0/0 overload

                                  ip access-list extended OUTSIDE_TO_INSIDE
                                   permit udp host 192.0.2.10 host 192.0.2.1 eq 2055
                                  ip access-list standard NAT_LIST
                                   permit 10.1.1.0 0.0.0.255

                                  ip inspect MY_IOS_FIREWALL tcp
                                  ip inspect MY_IOS_FIREWALL udp

                      • Re: Configuration Issues - NTA / Netflow on Outside Cisco Devices

                        Are you trying to send this over a VPN from the VPN Router itself?