Nagios Support Forum

Hi All,

Environment:

Server Side

-> RHEL 7.2
-> Nagios NA 2.2.3
-> Iptables Disabled
-> Port Listening 9996

# ss -taupn| grep 996
udp UNCONN 0 0 *:9996 *:* users:(("nfcapd",pid=8776,fd=6))


Client Side

-> Cisco ASA

------------------------------

Configured Source -> ASA
Listening Port -> 9996
Inc Flow Type -> NetFlow

-----------------------------

Actual Results: From Nagios I don't see any data on the dashboards, like 'no packet captured'
Expected Results: Nagios showing captured NFlows

---------------------------


Troubleshooting:


# ps axu | grep /usr/local/nagiosna/var/ASA
nna 8776 0.0 0.0 18232 3112 ? S 14:18 0:00 /usr/local/bin/nfcapd -I 1 -l /usr/local/nagiosna/var/ASA/flows -p 9996 -x /usr/local/nagiosna/bin/reap_files.py %d %f %i -P /usr/local/nagiosna/var/ASA/9996.pid -D -e -w -z
nna 8777 0.0 0.0 6816 824 ? S 14:18 0:00 /usr/local/bin/nfcapd -I 1 -l /usr/local/nagiosna/var/ASA/flows -p 9996 -x /usr/local/nagiosna/bin/reap_files.py %d %f %i -P /usr/local/nagiosna/var/ASA/9996.pid -D -e -w -z
root 9331 0.0 0.0 112652 972 pts/0 S+ 14:29 0:00 grep --color=auto /usr/local/nagiosna/var/ASA
You have new mail in /var/spool/mail/root


# nfdump -r /usr/local/nagiosna/var/ASA/flows/*current*
Date first seen Event XEvent Proto Src IP Addr:Port Dst IP Addr:Port X-Src IP Addr:Port X-Dst IP Addr:Port In Byte Out Byte
No matched flows


----------------



tcpdump -T cnfp -i ens32 -vvv
tcpdump: listening on ens32, link-type EN10MB (Ethernet), capture size 65535 bytes
14:30:29.712460 IP (tos 0x0, ttl 64, id 26760, offset 0, flags [DF], proto TCP (6), length 307)
mgmon003....60180 > mgldap01....ldap: Flags [P.], cksum 0xe638 (incorrect -> 0xbbb4), seq 3265917526:3265917781, ack 2084619901, win 245, options [nop,nop,TS val 4847199 ecr 1243435450], length 255
14:30:29.716022 IP (tos 0x0, ttl 64, id 5373, offset 0, flags [DF], proto TCP (6), length 66)
mgldap01....ldap > mgmon003....60180: Flags [P.], cksum 0xa218 (correct), seq 1:15, ack 255, win 661, options [nop,nop,TS val 1243440204 ecr 4847199], length 14
14:30:29.716042 IP (tos 0x0, ttl 64, id 26761, offset 0, flags [DF], proto TCP (6), length 52)
mgmon003....60180 > mgldap01....ldap: Flags [.], cksum 0xe539 (incorrect -> 0x0639), seq 255, ack 15, win 245, options [nop,nop,TS val 4847203 ecr 1243440204], length 0
14:30:29.716187 IP (tos 0x0, ttl 64, id 26762, offset 0, flags [DF], proto TCP (6), length 234)
mgmon003....60180 > mgldap01....ldap: Flags [P.], cksum 0xe5ef (incorrect -> 0x05e8), seq 255:437, ack 15, win 245, options [nop,nop,TS val 4847203 ecr 1243440204], length 182
14:30:29.718423 IP (tos 0x0, ttl 64, id 5374, offset 0, flags [DF], proto TCP (6), length 66)
mgldap01.metrogas.com.ar.ldap > mgmon003.metrogas.com.ar.60180: Flags [P.], cksum 0xa04f (correct), seq 15:29, ack 437, win 661, options [nop,nop,TS val 1243440205 ecr 4847203], length 14
14:30:29.718967 IP (tos 0x10, ttl 64, id 55843, offset 0, flags [DF], proto TCP (6), length 184)
14:30:29.719182 IP (tos 0x10, ttl 64, id 32929, offset 0, flags [DF], proto TCP (6), length 52)
14:30:29.757952 IP (tos 0x0, ttl 64, id 26763, offset 0, flags [DF], proto TCP (6), length 52)
mgmon003....60180 > mgldap01....ldap: Flags [.], cksum 0xe539 (incorrect -> 0x054a), seq 437, ack 29, win 245, options [nop,nop,TS val 4847245 ecr 1243440205], length 0
14:30:29.763273 IP (tos 0x0, ttl 128, id 12783, offset 0, flags [none], proto UDP (17), length 78)
MGPAP107....netbios-ns > 10.20.239.255.netbios-ns: NetFlow vdeaa, 65.536 uptime, 0.541476934, 272 recs

4:31:41.083415 IP (tos 0x0, ttl 64, id 10753, offset 0, flags [DF], proto UDP (17), length 356)
mgcldns1....domain > mgmon003....60916: NetFlow v639e, 65.537 uptime, 458757.053556788, 34176 recs
started 786.433, last 3222011.916
3.50.51.49:1 > 2.50.48.2:1 >> 49.48.7.105
ip tos 29, 1685193825 (1919967488 octets)
started 22118.400, last 185093.447
8.109.101.116:20545 > 114.111.103.97:20528 >> 115.3.99.111
192 tos 68, 12588032 (33554688 octets)
started 156059.459, last 1279544.915
9.77.71.67:12338 > 76.68.78.83:49220 >> 48.49.192.68
ip tos 2, 65537 (1367343116 octets)
started 1684960.050, last 3225731.092
108.100.110.115:2 > 49.192.68.192:1 >> 20.0.2.0
vmtp tos 128, 2147486472 (1835492204 octets)
started 3232235.521, last 65.537
68.192.20.0:20864 > 2.0.1.0:4 >> 1.81.128.0
231 tos 85, 1346457648 (859095108 octets)
started 65.537, last 1367343.108
10.20.231.95:2580 > 192.214.0.1:59212 >> 0.1.0.1
ip tos 1, 169142091 (3236757505 octets)
14:31:41.091597 IP (tos 0x0, ttl 64, id 26704, offset 0, flags [DF], proto ICMP (1), length 84)
mgmon001...> db_buhod1...: ICMP echo request, id 30581, seq 1, length 64
14:31:41.091982 IP (tos 0x0, ttl 64, id 37653, offset 0, flags [DF], proto UDP (17), length 72)
mgmon003....33173 > mgcldns1....domain: NetFlow vfd75, 65.536 uptime, 0.053556793, 256 recs
14:31:41.092517 IP (tos 0x0, ttl 64, id 10754, offset 0, flags [DF], proto UDP (17), length 354)
mgcldns1....domain > mgmon003....33173: NetFlow vfd75, 65.537 uptime, 458757.053556793, 34176 recs
started 786.433, last 3222011.916
3.50.51.49:1 > 2.50.48.2:1 >> 49.48.7.105
ip tos 27, 1685193825 (1919967488 octets)
started 2147486.472, last 1296519.233
101.116.114.111:20528 > 103.97.115.3:13108 >> 99.111.109.2
192 tos 20, 335544832 (16777553 octets)
started 1129071.694, last 1395667.392
71.80.65.80:17088 > 48.53.55.192:5120 >> 66.192.20.0
icmp tos 0, 22118400 (201936199 octets)
started 1932640.322, last 3222536.194
83.48.50.192:1 > 66.192.20.0:1 >> 2.0.1.0
ip tos 11, 185101671 (1668047982 octets)
started 65.537, last 86.400
20.0.2.0:4 > 1.0.1.81:2580 >> 128.0.11.8
192 tos 212, 1882207027 (3225600189 octets)



--------------------


From my tcpdump you can see that the netflows are incoming... However, they are not being tracked by tcpdump. I attach some screenshots.

Regards,

The number one cause for the NNA server to not capture / display data Is the time settings.
Is your ASA device and the NNA server's time in sync?

Yes! I've seen it on another post - I will ask to the network admin to check that.

I'll let you know how it goes.

Regards.

Sounds good - I'll leave this open awaiting your response.

Hi Guys!

I have asked to the networking team to validate the ASA timestamp. However, I have taken a capture from the netflows and open it with wireshark and the timestamp seems to be ok. I don't know if the timestamp that I am seeing belongs to the ASA or to the NNA. I attach the screenshot anyway.

Regards,

Thanks but I hesitate to trust the Wireshark time - just the settings in Wireshark alone could skew this.

Run the 'date' command on your NNA machine and convince your network team to take maybe 30 seconds to do the same and compare the two. Tgriep is correct in his earlier post, this is always the first thing to check in these scenarios.

If the two devices are in sync, then check / post the following log files to see if there are any errors that can point us in the right direction:

Hi Guys - I have made a test and point a Linux box NetFlows to the NNA and it's working.

So I might think that the networking team has configured something wrong.

I will escalate with them this issue.

Thanks for your help.

This thread can be closed.

Thanks for posting back your findings. I'll close the post and if you have any issues in the future, please open a new post.