1 of 1 people found this helpful
Hi, that "never" statement on that last received column is one indication if your flow data from your device is reaching the Orion server (where NTA is installed). If it is receiving and correct template, it should show an updated time stamp. To check and isolate it fast, On your Orion server run packet capture (wireshark). filter it to the IP address for that device and let it run for 5 to 8 minutes. check on the live capture if you will get Cflow data.
If you do not get any CFLOW - then there is something wrong with your configuration or routing issue. It is not important if you have configured your device to send netflow data, the important thing the data (flow data) will reach to the Orion server (where NTA is installed).
If you did get the Cflow data, check the packets and see what version it is getting? if version 9, make sure it contain the right template as seen on this link below
NTA for Cisco supports only netflow 5 and netflow v.9 (with exact template).
for 3750, check the configs.
Thank you for the help! I'm fuzzy (meaning clueless) on the concept of the template. Can you point me in the right direction for that?
I'll perform the packet capture tomorrow. I know that I configured the router to use version 5, per the earlier Thwack article.
I have not configured any "templates" in Orion though. I need help with this.
Thank you for your reply and help!!
No worries. I'll wait on the result on the packet capture and let us see what you are getting.
- Open Wireshark
- Click on Capture on the tool bar and select Interfaces
- Click on Option for the interface used to poll your devices.
- In the capture filter type the following: ip.addr==xxx.xxx.xxx.xxx
- Please replace the xxx.xxx.xxx.xxx with the ip address of your router which is having issues
- Click on Start to launch the capture.
- Reproduce the issue with your device
- Once you have captured the data for 8 minutes
- Go back to Wireshark and stop the network trace.
- Capture > Stop.
- sort the column for protocol and see if you are getting any Cflow.
is this router a self managed router?
if so I am more than willing to help you with the config required, as I have done this on our layer 3 core switches
Yes. Of course it is self managed. Any assistance is much appreciated. It will also be helpful to post here. What info do you need?
Was a solution ever found for this?? I have a Cisco 4506 that stopped sending NetFlow data a few months back, and I can't see what has changed on my switch to cause this.
Any help/suggestion would be most appreciated.
If you see other devices are showing flow data on the NTA application, then I can say that 99% your NTA application is not the issue. NTA will only listen to port 2055 and it will just collect all flow data that your device is throwing at it. Best way to isolate the issue if the flow from your non-working device is reaching the Solarwinds server (where the NTA is installed) by running the wireshark procedure above. Make sure that before you start the capture, it is filtered to the IP address of the device that is not working. Then let it run for 10 minutes and see if your are getting CFLOW (protocol) on the capture. If there are none, double check your device configuration, check the Port and the IP address of the flow collector (which is the Solarwinds server). also check if there are any firewall in between blocking the traffic or any routing issue to the network.
Also check if the interfaces added on netflow data are up (green) and not grey-out or unknown.