No data found - Cisco 2811 router

[swalker76]

We have an older Cisco 2811 router that I am trying to gather information on. The router has a public IP address and the NNA server has a private IP address.

I set up NetFlow on the router and see that it is collecting data. I created a source through my NNA web interface assigning it a port number. I opened that port on the CentOS 7 server running NagiosNA. I then added the router/port to the NNA rule on my main firewall.

I am not seeing any data results showing in the NNA web interface or in the nfcapd files on the CentOS 7 server. I don’t see that any traffic from the router hitting the firewall. Folder and file permissions have been verified.

Any thoughts on what I might have missed?

Thanks -
Steve

[tgriep]

Can the router ping the NNA server and vice versa?
If they are in different networks and the routing is not setup correctly, that could be the issue.

One thing you can try is to run a tcpdump on the NNA server and see if the router's flow data is getting there.
Run this on the NNA server, replace the <interface> option with the ethernet interface name and the xxxx with the port you are sending the flow data on.

Code: Select all

tcpdump -i <interface> -s 65535 port xxxx

Also, make sure the time on the NNA server and the router are in sync, if they are out of sync, the NNA server may not collect the flow data.

[swalker76]

Can the router ping the NNA server and vice versa?
If they are in different networks and the routing is not setup correctly, that could be the issue.

One thing you can try is to run a tcpdump on the NNA server and see if the router's flow data is getting there.
Run this on the NNA server, replace the <interface> option with the ethernet interface name and the xxxx with the port you are sending the flow data on.

Code: Select all

tcpdump -i <interface> -s 65535 port xxxx

Also, make sure the time on the NNA server and the router are in sync, if they are out of sync, the NNA server may not collect the flow data.

Thanks for the reply -

The NNA server can ping the router with no problem. The router though can't ping the server. I'll look into that first.

I notice that the time on the router and server are about 10 milliseconds different. Is that enough of a discrepancy to worry about?

Thanks -
Steve

[tgriep]

10 miliseconds wouldn't stop the capture. I am talking more like 5 to 10 minutes.
Try stopping the firewall completely on the NNA server and see if it starts to receive the flow data.

[swalker76]

10 miliseconds wouldn't stop the capture. I am talking more like 5 to 10 minutes.
Try stopping the firewall completely on the NNA server and see if it starts to receive the flow data.

Still not seeing data. I'm thinking the problem is between my router and my firewall which sits in front of the NNA server.

[tgriep]

That would be my guess as well.
Verify that the setting in the router are correct for the NNA server's IP address and the port.
Post the config so we can view the settings as well as the output from this command run on the NNA server.

Code: Select all

ps -ef --cols=300

[swalker76]

That would be my guess as well.
Verify that the setting in the router are correct for the NNA server's IP address and the port.
Post the config so we can view the settings as well as the output from this command run on the NNA server.

Code: Select all

ps -ef --cols=300

Here's what I used to configure the router:
configure terminal
interface FastEthernet0/0
ip route-cache flow
exit
ip flow-export destination 192.168.13.80 9947
version 5
exit
clear ip flow stats

Tee output from

#show ip flow export
Flow export v5 is enabled for main cache
Exporting flows to 192.168.13.80 (9947)
Exporting using source IP address 199.127.134.70
Version 5 flow records
23785 flows exported in 793 udp datagrams
0 flows failed due to lack of export packet
0 export packets were sent up to process level
0 export packets were dropped due to no fib
0 export packets were dropped due to adjacency issues
0 export packets were dropped due to fragmentation failures
0 export packets were dropped due to encapsulation fixup failures

#show ip flow interface
FastEthernet0/0
ip route-cache flow

The firewall that lives between the router and the internal NNA server is configured to let the IP address for FastEthernet0/0 (97.107.76.253) through to 192.168.13.80 udp/9947

The ps -ef output for NNA related processes running on .80 are:
(this flow is working fine)
nna 24997 1 0 13:49 ? 00:00:00 /usr/local/bin/nfcapd -I 3 -l /usr/local/nagiosna/var/grcompare/flows -p 9946 -x /usr/local/nagiosna/bin/reap_files.py %d %f %i -P /usr/local/nagiosna/var/grcompare/9946.pid -D -e -w -z
nna 24998 24997 0 13:49 ? 00:00:00 /usr/local/bin/nfcapd -I 3 -l /usr/local/nagiosna/var/grcompare/flows -p 9946 -x /usr/local/nagiosna/bin/reap_files.py %d %f %i -P /usr/local/nagiosna/var/grcompare/9946.pid -D -e -w -z

(this is the router flow)
nna 25005 1 0 13:49 ? 00:00:00 /usr/local/bin/nfcapd -I 4 -l /usr/local/nagiosna/var/Cisco2811Router/flows -p 9947 -x /usr/local/nagiosna/bin/reap_files.py %d %f %i -P /usr/local/nagiosna/var/Cisco2811Router/9947.pid -D -e -w -z
nna 25006 25005 0 13:49 ? 00:00:00 /usr/local/bin/nfcapd -I 4 -l /usr/local/nagiosna/var/Cisco2811Router/flows -p 9947 -x /usr/local/nagiosna/bin/reap_files.py %d %f %i -P /usr/local/nagiosna/var/Cisco2811Router/9947.pid -D -e -w -z

Thanks -
Steve

[tacolover101]

using a tcpdump, are you able to see the data either sending or receiving at the firewall or NNA level?

[swalker76]

using a tcpdump, are you able to see the data either sending or receiving at the firewall or NNA level?

No. I've discovered a problem with the configuration of the router that I'm addressing now to see if that helps.

Thanks -
Steve

[cdienger]

Thanks for the update. Keep us posted and let us know if there's anything on our end we can help with.