Cisco 4500x not receiving data

[email protected] · Post by **[email protected]** » Wed Aug 31, 2016 3:58 pm

Hello,

I'm new to this customer forum. I recently configured our network analyzer on our network using CentOS 7. I have a BigIP LTM switch configured for SFLOW. It is receiving data without any problems. However, I configure my Cisco 4500x for NetFlow data and I'm not receiving any data. I've turned on the iptables on the CentOS box and still on data. I'm not sure how to proceed in retrieving this data. I appreciate any input into resolving this data flow issue.

Thanks

bwallace · Post by **bwallace** » Wed Aug 31, 2016 4:44 pm

On the Network Analyzer machine navigate to /usr/local/nagiosna/var/<Cisco Source name>/flows. Run an 'll' command every 5 minutes. Do the files grow in size, remain static? Feel free to post the output here.

Also, on your NA machine run a tcpdump and filter for the port of this Cisco device. If we see traffic arriving @ NA on this port then we'll know to troubleshoot there. If no traffic, then we'll need to focus on the device's netflow config.

tcpdump -i any port <source port>

[email protected] · Post by **[email protected]** » Thu Sep 01, 2016 7:19 am

The data from nagios is listed below:
drwxr-xr-x 3 nna users 4096 Aug 31 15:04 Cat4500xPR
drwxr-xr-x 3 nna users 4096 Aug 31 10:58 UTSharedF5Gateway

The tcpdump is not returning any data from:
tcpdump -i any port 6344

bwallace · Post by **bwallace** » Thu Sep 01, 2016 9:58 am

Thanks, since the tcpdump shows zero packets arriving at NA, we'll need to focus on the configuration of the 4500x device. Are you able to show the netflow config? Does it resemble the config outlined here?
https://www.lancope.com/wiki/cisco-catalyst-4500x

Perhaps you've already seen this one:
http://www.cisco.com/c/en/us/td/docs/sw ... witch.html

We do not have this device on hand to test with otherwise I 'd gladly test it out. Let me know if the links above helped to reveal a misconfiguration somewhere. Until we see packets arriving at the NA box, the issue is network or device related.

Post by **lmiltchev** » Thu Sep 01, 2016 9:59 am

Run the commands below, and show the output:

Code: Select all

ls -lat /usr/local/nagiosna/var/Cat4500xPR/flows/ | tail
ls -lat /usr/local/nagiosna/var/UTSharedF5Gateway/flows/ | tail
tcpdump -i eth0 port <port>

where you use the actual listening port on your source. Wait for a little bit after you run the last command. When you see some output, stop the tcpdump (Ctrl + c), then copy/paste the output.

Note: If your interface is not called "eth0", use the correct name.

[email protected] · Post by **[email protected]** » Thu Sep 01, 2016 10:31 am

The current configuration on the Cisco 4500x is:

flow record r6344
match ipv4 source address
match ipv4 destination address
collect counter bytes long
collect counter packets long
collect timestamp sys-uptime first
collect timestamp sys-uptime last
!
!
flow exporter e6344
destination 10.215.0.10
transport udp 6344
export-protocol netflow-v5
!
!
flow monitor m6344
record r6344
exporter e6344
cache timeout inactive 30
cache timeout active 60
cache entries 1000
!
vlan configuration 1151-1153,1158-1162,1168-1170,1203
ip flow monitor m6344 layer2-switched input
vlan internal allocation policy ascending
!

[email protected] · Post by **[email protected]** » Thu Sep 01, 2016 10:36 am

Here is the data from the flows:

[root@nagios-na data]# ls -lat /nagios/data/Cat4500xPR/flows/ | tail
-rw-r--r-- 1 nna users 276 Aug 31 15:45 nfcapd.201608311540
-rw-r--r-- 1 nna users 276 Aug 31 15:40 nfcapd.201608311535
-rw-r--r-- 1 nna users 276 Aug 31 15:35 nfcapd.201608311530
-rw-r--r-- 1 nna users 276 Aug 31 15:30 nfcapd.201608311525
-rw-r--r-- 1 nna users 276 Aug 31 15:25 nfcapd.201608311520
-rw-r--r-- 1 nna users 276 Aug 31 15:20 nfcapd.201608311515
-rw-r--r-- 1 nna users 276 Aug 31 15:15 nfcapd.201608311510
-rw-r--r-- 1 nna users 276 Aug 31 15:10 nfcapd.201608311505
-rw-r--r-- 1 nna users 276 Aug 31 15:05 nfcapd.201608311500
drwxr-xr-x 3 nna users 4096 Aug 31 15:04 ..
[root@nagios-na data]# ls -lat /nagios/data/UTSharedF5Gateway/flows/ | tail
-rw-r--r-- 1 nna users 57144 Aug 31 11:40 nfcapd.201608311135
-rw-r--r-- 1 nna users 55977 Aug 31 11:35 nfcapd.201608311130
-rw-r--r-- 1 nna users 53377 Aug 31 11:30 nfcapd.201608311125
-rw-r--r-- 1 nna users 60599 Aug 31 11:25 nfcapd.201608311120
-rw-r--r-- 1 nna users 63847 Aug 31 11:20 nfcapd.201608311115
-rw-r--r-- 1 nna users 63410 Aug 31 11:15 nfcapd.201608311110
-rw-r--r-- 1 nna users 66086 Aug 31 11:10 nfcapd.201608311105
-rw-r--r-- 1 nna users 77163 Aug 31 11:05 nfcapd.201608311100
-rw-r--r-- 1 nna users 17205 Aug 31 11:00 nfcapd.201608311055
drwxr-xr-x 3 nna users 4096 Aug 31 10:58 ..

[email protected] · Post by **[email protected]** » Thu Sep 01, 2016 10:45 am

When I add the eth0 adapter to the tcpdump command, I still get on data. When I change the tcpdump command to the F5 session, it is returning data. An example of that data is below:

[root@nagios-na data]# tcpdump -i ens160 port 6343
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens160, link-type EN10MB (Ethernet), capture size 65535 bytes
10:43:30.754117 IP ltm-ardc-1.support.shared.utsystem.edu.24699 > nagios-na.support.shared.utsystem.edu.sflow: sFlowv5, IPv4 agent 10.215.250.10, agent-id 2, length 168
10:43:31.045959 IP ltm-ardc-1.support.shared.utsystem.edu.40653 > nagios-na.support.shared.utsystem.edu.sflow: sFlowv5, IPv4 agent 10.215.250.10, agent-id 1, length 188

[email protected] · Post by **[email protected]** » Thu Sep 01, 2016 11:14 am

flow record r6344:
Description: User defined
No. of users: 1
Total field space: 38 bytes
Fields:
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
collect interface input
collect interface output
collect counter bytes long
collect counter packets long

Flow Monitor m6344:
Description: Used for Monitoring IPv4 Traffic
Flow Record: r6344
Flow Exporter: e6344
Cache:
Type: normal
Status: allocated
Size: 4096 entries / 311316 bytes
Inactive Timeout: 15 secs
Active Timeout: 1800 secs
Update Timeout: 1800 secs

Flow Exporter e6344:
Description: User defined
Export protocol: NetFlow Version 9
Transport Configuration:
Destination IP address: 10.215.0.10
Source IP address: 10.215.1.8
Transport Protocol: UDP
Destination Port: 6344
Source Port: 56262
DSCP: 0x0
TTL: 255
Output Features: Not Used

Post by **tgriep** » Thu Sep 01, 2016 4:01 pm

In your last example, I do not see the setting where you add the flow exporter to the interface or VLAN you want to monitor.
If you haven't set that up, do it and that should fix it for you.
If it is already setup, can you post how it it configured.

Another thing that is very important. The time between the NNA server and the device sending the flows has to be in sync, check that and let up know if it is.

Nagios Support Forum

Cisco 4500x not receiving data

Cisco 4500x not receiving data

Re: Cisco 4500x not receiving data

Re: Cisco 4500x not receiving data

Re: Cisco 4500x not receiving data

Re: Cisco 4500x not receiving data

Re: Cisco 4500x not receiving data

Re: Cisco 4500x not receiving data

Re: Cisco 4500x not receiving data

Re: Cisco 4500x not receiving data

Re: Cisco 4500x not receiving data