7 Replies Latest reply on Sep 15, 2011 9:44 AM by Andy McBride

    Netflow Traffic not reporting reliably

    Ruminations

      Hi Guys,

      We've got a large number of nodes working perfectly with Netflow traffic. We have some Cisco Routers which  are using Dialer interfaces. The Virtual Access Interface reports perfectly but the Dialer reports only sporadically if at all. Can anyone shed some light on why this would be occuring? It doesn't make any sense to me givne the VI is a copy of the Dialer.

        • Re: Netflow Traffic not reporting reliably
          Andy McBride

           I recommend taking a look at a packet capture and seeing if there is something unusual with the dialer flows. Also try show ip flow interface to see the exports per IF. That command may not be supported in your IOS.

          • Re: Netflow Traffic not reporting reliably
            jswan

            If you check your NetFlow cache with "show ip cache flow", you'll see that the VirtualAccess interface is the one actually tracked by NetFlow, not the Dialer interface. Hence, it's expected behavior.

            The dialer interface is sort of a logical abstraction used to hold configuration information, whereas the VirtualAccess interface actually handles the flow of packets between the dialer interface and the physical interface to which it's bound. Since NetFlow is related to packet flow, it sort of makes sense that VirtualAccess interfaces are used for flow tracking. I think Cisco probably coded it this way to support per-user flow tracking in large-scale dial implementations, but I'm not sure.

            • Re: Netflow Traffic not reporting reliably
              Ruminations

              Hi Guys,

              In light of the comments I've had a look at the flows on the device. I should have added that these new devices are located outside of the private network and are reporting in over the internet and use PAT. I'm guessing this is a large part of the issue. If I check any router inside our network that has a dialer I get a flow like this:

              SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts
              Vi2           192.168.1.240   Vl1           10.152.35.101   06 01BB 041B     4
              Vl1           10.152.35.101   Di1*          192.168.1.24    06 05DC 0A26    13
              Vl1           10.152.35.98    Di1*          192.168.1.24    06 01BD 0EC9     1
              Vl1           10.152.35.101   Di1*          27.100.1.21     06 0424 1659     3
              Vi2           27.100.1.21     Vl1           10.152.35.101   06 1659 0424     3
              Vi2           192.168.1.24    Vl1           10.152.35.124   06 0A26 EAB1    19
              Vi2           192.168.1.28    Vl1           10.152.35.101   06 0402 073F     1
              Vi2           10.20.8.4       Local         10.249.1.207    11 0089 0089     3
              Vi2           27.100.1.21     Vl1           10.152.35.124   06 1659 E86E     1
              Vi2           10.248.70.222   Local         10.249.1.207    06 A785 0017    23
              Vl1           10.152.35.98    Di1*          27.100.1.21     06 0FD7 1659     3
              Vi2           192.168.16.6    Null          10.152.35.99    11 048D 00A1     2
              Vl1           10.152.35.101   Di1*          192.168.1.240   06 041B 01BB     5
              Vi2           192.168.1.24    Vl1           10.152.35.98    06 0EC9 01BD     1

              I get traffic reported on both the Vi1 interface and the Dialer with inboudn traffic on the Vi and outbound on the Dialer which is what I expect

              The same configuration is on the routers outside the network which are then pointed to a Watchguard firewall which port forwards anything on port 2055 to the Orion server.

              The VI inteface reports traffic and works perfectly however nothing appears for the Dialer interface. I get this from sh ip cache flow

              SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts
              Vi2           27.100.0.66     Vl1           61.8.30.47      06 01BB CE9E     1
              Vi2           27.100.0.66     Vl1           61.8.30.47      06 01BB 0CB9     1
              Vi2           125.255.44.104  Local         61.8.30.47      32 2FD3 E617  1337
              Vi2           27.100.0.66     Vl1           61.8.30.47      06 01BB CC6E     5
              Vi2           27.100.0.66     Vl1           61.8.30.47      06 01BB CC71    15
              Vi2           202.7.93.82     Local         61.8.30.47      06 BFA1 0017    48
              Vi2           27.100.1.21     Vl1           61.8.30.47      06 1659 0CA9     3
              Vi2           192.168.10.240  Vl1           192.168.20.10   06 165A F4C6    82
              Vi2           192.168.10.240  Vl1           192.168.20.10   06 165A F4C7    54
              Vi2           192.168.10.240  Vl1           192.168.20.10   06 165A F4D1    77
              Vi2           192.168.10.240  Vl1           192.168.20.10   06 165A F4A6    48
              Vi2           192.168.10.240  Vl1           192.168.20.10   06 165A F4A0    34
              Vi2           192.168.10.4    Local         192.168.20.254  01 0000 0800     1
              Vi2           27.100.0.66     Vl1           61.8.30.47      06 01BB 04A1     6
              Vi2           27.100.0.66     Vl1           61.8.30.47      06 01BB 049B     6
              Vi2           27.100.0.66     Vl1           61.8.30.47      06 01BB 049F     9
              Vi2           27.100.0.66     Vl1           61.8.30.47      06 01BB 049C     6
              Vi2           27.100.1.21     Vl1           61.8.30.47      06 1659 0417     5
              Vi2           27.100.0.66     Vl1           61.8.30.47      06 01BB 127C     1
              Vi2           27.100.0.66     Vl1           61.8.30.47      06 01BB 127D     1
              Vi2           27.100.0.66     Vl1           61.8.30.47      06 01BB 1271     1
              Vi2           27.100.0.66     Vl1           61.8.30.47      06 01BB 1276     1
              Vi2           27.100.0.66     Vl1           61.8.30.47      06 01BB 1274     1
              Vi2           27.100.0.66     Vl1           61.8.30.47      06 01BB 1275     1
              Vi2           212.161.8.4     Vl1           61.8.30.47      06 303E CFC6     1
              Vi2           192.168.10.3    Vl1           192.168.20.17   06 0A26 D0FD   62

               

              Router#sh ip flow export
              Flow export v5 is enabled for main cache
                Export source and destination details :
                VRF ID : Default
                  Source(1)       61.8.30.47 (Dialer1)
                  Destination(1)  27.100.0.75 (2055)
                Version 5 flow records
                5716 flows exported in 299 udp datagrams
                0 flows failed due to lack of export packet
                1 export packets were sent up to process level
                0 export packets were dropped due to no fib
                0 export packets were dropped due to adjacency issues
                0 export packets were dropped due to fragmentation failures
                0 export packets were dropped due to encapsulation fixup failures
              Router#sh ip flow interface
              Dialer1
                ip route-cache flow
                ip flow ingress
                ip flow egress
              Virtual-Access2
                ip route-cache flow

              Any idea what I can change to make that work?

              • Re: Netflow Traffic not reporting reliably
                Ruminations

                While I understand what he has said, I don't see why on any router inside the PN netflow reports on Dialer interface traffic but not on these few routers.