1 Reply Latest reply on Dec 24, 2014 9:17 AM by choly

    NetFlow Source Interfaces Have Stopped Forwarding

    brentbo

      Hey Y'all,

       

      I’m new in a fairly large SolarWinds environment (17,000 elements) and I’m seeing some, ummm, interesting NetFlow version 5 issues. Our NetFlow installation reports 120 NetFlow source interfaces on 48 nodes. Of these 48 nodes, 23 are no longer forwarding NetFlow data. These 23 nodes didn’t stop forwarding all at the same time; instead, they dropped off one at a time over a period of about four months, with no obvious pattern. We are working with NPM 10.6.1, NTA 3.10.0, NCM 7.2.2 and IPam 4.1.

       

      1. I checked for correct NetFlow 5 configurations. As far as I can see, the configurations should work. Moreover, they did work before.
      2. I've looked for changes in the Cisco configurations, both at the time NetFlow forwarding ceased and for longer periods. I can’t see any relevant changes, and in some cases there are literally no changes.
      3. I’ve looked at Events for any problems with the NetFlow interfaces on or around the time they ceased reporting, Nothing at all obvious.

       

      I don’t expect anyone’s going to have some ‘magic bullet’; what would be very useful is suggestions for directions in troubleshooting. Any suggestions will be very much appreciated. Thanks in advance, Brent Papworth.

        • Re: NetFlow Source Interfaces Have Stopped Forwarding
          choly

          Install Wireshark on Orion server (and additional poller if you point some netflow there as well), and verify you are still receiving flows from those device. Using filters like ip.src==AAA.BBB.CCC.DDD && (cflow || upd.port==2055 || udp.port == 6343 || udp.port==9996) to go find out if you are receiving flows from each device.

           

          If don't you see flows in Wireshark check your devices (configuration changes that disable netflow as sideeffect, e.g. cef) and network (firewalls, routing). If you see flows in Wireshark, but not in NTA, go to NetFlow sources > Manage sources > uncheck the checkbox next to not working flow source > submit > go back > check that checkbox again > submit. If that doesn't help, open a support ticket with SolarWinds.