Submit a ticketCall us

Welcome to the NEW Success Center. Search all resources (documentation, videos, training, knowledge base articles) or browse resources by product. If you are unable to find what you are looking for, please contact us at customersuccess@solarwinds.com

 

 

 

 

Home > Success Center > Netflow Traffic Analyzer (NTA) > Troubleshooting IPFIX/Flexible Netflow

Troubleshooting IPFIX/Flexible Netflow

Created by Eric Bryant, last modified by MindTouch on Jun 23, 2016

Views: 1,179 Votes: 0 Revisions: 10

Overview

 

Article explains troubleshooting Flexible Netflow in greater detail.

Environment

  • Netflow, all versions

Detail

Netflow v9 and Flexible are not the same although Flexible Netflow is based on v9. 

Many Cisco devices support these protocols, and some will support only one or the other. More and more of the newer devices are favoring Netflow v9, as this allows the use of "templates".

Netflow v5 has a defined packet structure. This can make it easier to set up, as the receiver will always know the exact structure of the packet it is receiving 
In Flexible netflow, the packet structure isn't rigid. The advantage to this is that it is possible to choose which fields to add into the Netflow PDU, so you can choose what information about those conversations is important, and choose to add additional information if you want to – and if the collector can support it.

Currently, the NTA collector only supports the Netflow v5 packets in Netflow v9 so there is no real advantage to using one over the other.

When using Netflow v9, you need to ensure the templates are exported very regularly to the Orion collector – typically every 1 minute. This ensures that the collector can decode the netflow packets it receives correctly.

Check Flows making it to (Collector)Server

If you have checked Services are running and other collection is taking place, run a wireshark capture to make sure flows are making it to the server. This article may help further with that:

https://solarwinds-prod.mindtouch.us...t_Available%22

Check Device Configuration

First check what type of device you are configuring flexible netflow on and what type is desired. Here are a few articles for configuration examples:

https://solarwinds-prod.mindtouch.us...co_6509_Switch

https://solarwinds-prod.mindtouch.us...treme_networks

https://solarwinds-prod.mindtouch.us...le_v9_specific

Check to make sure ifIndexes are included in packet and monitored in Orion

NetFlow Input interface (ifindex of 15 in this example) cflow.inputint == 15 
NetFlow Output interface (ifindex of 15 in this example)

cflow.outputint == 15 

 

You should see an Input and and output int. If you see a value of '0' on either side make sure you have a flow monitor configured for each side of the traffic. See Example configs.

Check if octets are present in the flow packet

'0' values for octets in PDUs will show no flows making it to the Orion server.

Check if multiple IPs are assigned to the management interface

You will want to check if the export IP is the same as the source IP. Sometimes you will see multiple IPs assigned to the same netflow source in Orion and you may also see multiple IPs assigned to the device and correct IP not added into Orion as a "Node".

Check if ifindexes have changed or device has changed in Orion recently

Some cases can be resolved by removing the nodes completely from Orion and adding them back so the Netflow service can detect the flows.

 

 

Last modified
21:00, 22 Jun 2016

Tags

Classifications

Public