Aruba controller ipfix data

[rhassing]

Hello,

I have two Aruba 7010 controller from which I would like to collect flow data.

On the controller I have configured the following:

Code: Select all

IP Flow Collector Profile
-------------------------
Parameter                                         Value
---------                                         -----
State                                             Enabled
Interval (minutes) to upload all active sessions  5
Interval (minutes) to upload cache snapshot       5
Interval (minutes) to upload IPFIX template       5
Transport Protocol for collector connection       udp
IPFIX Collector IP address                        192.168.41.83
Transport Port for collector connection           6705
Flow Cache size in entries                        10000
Observation Domain                                10
Wireless Export                                   Enabled

I can see that the controller is sending data:

Code: Select all

(Aruba7010-K) [MDC] *#show ip-flow-export collector 

Observation Domain: 10
Collector IP 192.168.41.83, protocol udp, port 6705, enabled (wireless-export), connected
Upload template every 5 minute(s), upload all sessions every 5 minute(s), upload flow cache snapshot every 5 minute(s)

UNIFLOW, flow cache size 10000,  flows exported 255466, next sequence 255466, 6265 packets, 8800382 bytes
Last template send: 13:20:34 05-04-2021, last dispatch: 13:18:03 05-04-2021, 1894 flows(1539 ID-300, 44 ID-301, 311 ID-302)
0 Connect errors, 0 connection resets, 0 send errors, 0 flows dropped, 0 blocked sends
(Aruba7010-K) [MDC] *#

I also captured the data with tcpdump on the NNA. I could send the file if needed.

Best regards,
Rob Hassing

[gsmith]

Hi Rob,

What seems to be the problem? Is the NNA not showing the data?

Thanks

[rhassing]

That's the problem indeed.
It says no data (for both controllers).

[gsmith]

Hi Rob,

Take a look in /usr/local/nagiosna/var. Do you see a directory for each switch?

If not please check the firewall:
sudo firewall-cmd --list-ports

it should come back with something like:
80/tcp 443/tcp 9915/udp 2205/udp 6705/udp

Let me know what you find out.

Thanks

[rhassing]

Take a look in /usr/local/nagiosna/var. Do you see a directory for each switch?

Code: Select all

[root@NagiosNA ~]# ls -l /usr/local/nagiosna/var/
total 10624
drwsrwxr-t  3 nna    users     4096  4 mei 11:57 Aruba7010K
drwsrwxr-t  3 nna    users     4096  4 mei 11:57 Aruba7010Z
-rw-r--r--  1 nna    nnacmd  314438  6 mei 07:20 backend.log
-rw-r--r--  1 nna    nnacmd 1048542  6 mei 02:05 backend.log.1
-rw-r--r--  1 nna    nnacmd 1048504 18 apr 08:10 backend.log.10
-rw-r--r--  1 nna    nnacmd 1048568  5 mei 08:10 backend.log.2
-rw-r--r--  1 nna    nnacmd 1048547  4 mei 14:20 backend.log.3
-rw-r--r--  1 nna    nnacmd 1048477  2 mei 13:45 backend.log.4
-rw-r--r--  1 nna    nnacmd 1048424 30 apr 05:05 backend.log.5
-rw-r--r--  1 nna    nnacmd 1048539 27 apr 20:15 backend.log.6
-rw-r--r--  1 nna    nnacmd 1048213 25 apr 11:25 backend.log.7
-rw-r--r--  1 nna    nnacmd 1048088 23 apr 02:30 backend.log.8
-rw-r--r--  1 nna    nnacmd 1048530 20 apr 17:30 backend.log.9
-rw-r--r--. 1 nna    users        1  6 mei 07:21 cmdsubsys.log
-rw-r--r--. 1 root   root         4 18 mrt  2020 nna-itype
drwsrwxr-t  4 nna    users     4096  4 mei 11:57 ReneSwitch
drwsrwxr-t  4 nna    users     4096  4 mei 11:57 RHGSwitch2
drwsrwxr-t  3 nna    users     4096  4 mei 11:57 SW2
drwxr-xr-x  2 apache nnacmd    4096 11 apr 02:10 upgrades
[root@NagiosNA ~]#

sudo firewall-cmd --list-ports

Code: Select all

80/tcp 443/tcp 6700/udp 6701/udp 6703/udp 6705/udp 6706/udp

[gsmith]

That all looks good.

In each Arubaxxx directory you should see something similar to:

Code: Select all

-rw-r--r-- 1 nna users       5 May  5 09:47 6705.pid
-rw-r--r-- 1 nna users 1255360 May  6 11:15 bandwidth.rrd
drwxr-xr-x 2 nna users   12288 May  6 11:15 flows

The bandwidth.rrd and the flows directory should be getting modified every 5 minutes. Is that happening?

Also, see the number of the .pid file - 6705 in my example. Use it
in this command and let me know what you see:

Code: Select all

ps -ef | grep 6705

Thanks

[rhassing]

The rrd file seems to be updated every 5 minutes:

Code: Select all

[root@NagiosNA ~]# ls -l /usr/local/nagiosna/var/Aruba7010K
total 1256
-rw-r--r-- 1 nna nnacmd       6  4 mei 11:57 6705.pid
-rw-r--r-- 1 nna users  1255360  7 mei 11:55 bandwidth.rrd
drwxr-xr-x 2 nna users    20480  7 mei 11:55 flows

Code: Select all

[root@NagiosNA ~]# ps -ef | grep 6705
root     27516  3736  0 11:57 pts/0    00:00:00 grep --color=auto 6705
nna      61112     1  0 mei04 ?        00:00:03 /usr/local/bin/nfcapd -I 5 -l /usr/local/nagiosna/var/Aruba7010K/flows -p 6705 -x /usr/local/nagiosna/bin/reap_files.py %d %f %i -P /usr/local/nagiosna/var/Aruba7010K/6705.pid -D -e -w -z -T all
nna      61113 61112  0 mei04 ?        00:00:00 /usr/local/bin/nfcapd -I 5 -l /usr/local/nagiosna/var/Aruba7010K/flows -p 6705 -x /usr/local/nagiosna/bin/reap_files.py %d %f %i -P /usr/local/nagiosna/var/Aruba7010K/6705.pid -D -e -w -z -T all
[root@NagiosNA ~]# 

[gsmith]

Hi

That all looks fine.

Please grab the log files (as root):

Code: Select all

cd /tmp
mkdir log
cd log
cp /usr/local/nagiosna/var/*log* .
ll
cd /tmp
tar czvf log.tar.gz log

Share the log.tar.gz in a private message and then reply to this post to bring it up in the queue.

Thank you

[rhassing]

I just send the log file in a private message.

[gsmith]

Hi

There are errors in the logs so please do the following from a shell on the NNA server and capture
both the command and the output:

Code: Select all

su - nna    

/usr/local/bin/nfdump -r /usr/local/nagiosna/var/Aruba7010K/flows/nfcapd.202105071255 -o csv -s srcip net

/usr/local/bin/nfdump -r /usr/local/nagiosna/var/Aruba7010Z/flows/nfcapd.202105071255 -o csv -s srcip net

/usr/local/bin/nfdump -r /usr/local/nagiosna/var/ReneSwitch/flows/nfcapd.202105071255 -o csv -s srcip net

/usr/local/bin/nfdump -r /usr/local/nagiosna/var/RHGSwitch2/flows/nfcapd.202105071255 -o csv -s srcip net

/usr/local/bin/nfdump -r /usr/local/nagiosna/var/SW2/flows/nfcapd.202105071255 -o csv -s srcip net 

/usr/local/nagiosna/bin/reap_files.py  /usr/local/nagiosna/var/RHGSwitch2/flows nfcapd.202105071255 1

ls -l /usr/local/nagiosna/var/RHGSwitch2

ls -l /usr/local/nagiosna/var/RHGSwitch2/flows

You can attach the results in your reply, or if you are concerned about security you can attach them
to a PM, and then post on this thread that they have been sent.

Thanks