Article explains troubleshooting Flexible Netflow in greater detail.
Netflow v9 and Flexible are not the same although Flexible Netflow is based on v9.
Many Cisco devices support these protocols, and some will support only one or the other. More and more of the newer devices are favoring Netflow v9, as this allows the use of "templates".
Netflow v5 has a defined packet structure. This can make it easier to set up, as the receiver will always know the exact structure of the packet it is receiving
In Flexible netflow, the packet structure isn't rigid. The advantage to this is that it is possible to choose which fields to add into the Netflow PDU, so you can choose what information about those conversations is important, and choose to add additional information if you want to – and if the collector can support it.
Currently, the NTA collector only supports the Netflow v5 packets in Netflow v9 so there is no real advantage to using one over the other.
When using Netflow v9, you need to ensure the templates are exported very regularly to the Orion collector – typically every 1 minute. This ensures that the collector can decode the netflow packets it receives correctly.
If you have checked Services are running and other collection is taking place, run a wireshark capture to make sure flows are making it to the server. This article may help further with that:
First check what type of device you are configuring flexible netflow on and what type is desired. Here are a few articles for configuration examples:
|NetFlow Input interface (ifindex of 15 in this example)||cflow.inputint == 15|
|NetFlow Output interface (ifindex of 15 in this example)|| |
cflow.outputint == 15
You should see an Input and and output int. If you see a value of '0' on either side make sure you have a flow monitor configured for each side of the traffic. See Example configs.
'0' values for octets in PDUs will show no flows making it to the Orion server.
You will want to check if the export IP is the same as the source IP. Sometimes you will see multiple IPs assigned to the same netflow source in Orion and you may also see multiple IPs assigned to the device and correct IP not added into Orion as a "Node".
Some cases can be resolved by removing the nodes completely from Orion and adding them back so the Netflow service can detect the flows.