Router 3825 netflow isn't working with WhatsUpGold

Adrian Caba Gutierrez · ‎04-18-2012

Hi,

I have a router cisco 3825, it is configured with netflow for monitoring traffic with WhatsUpGold, but I can't monitor this router I don't know what is the problem.

Device: Router Cisco 3825 IOS: C3825-ADVENTERPRISEK9-M 12.4

Configurations:

ip flow-cache timeout active 1

ip flow-export source GigabitEthernet0/0

ip flow-export version 5

ip flow-export destination 172.20.0.163 9999

Interface which send the netflow to WhatsUp

interface GigabitEthernet0/0

description --------------------------

ip address 172.20.126.2 255.255.255.252

ip flow ingress

ip flow egress

ip route-cache flow

duplex auto

speed auto

media-type sfp

negotiation auto

RT-WAN#show ip flow export

Flow export v5 is enabled for main cache

Exporting flows to 172.20.0.163 (9999)

Exporting using source interface GigabitEthernet0/0

Version 5 flow records

24108565 flows exported in 832819 udp datagrams

0 flows failed due to lack of export packet

1 export packets were sent up to process level

0 export packets were dropped due to no fib

0 export packets were dropped due to adjacency issues

0 export packets were dropped due to fragmentation failures

0 export packets were dropped due to encapsulation fixup failures

I have a switch4500 12.2 and a router 2801 IOS 15.1 and this device work well with the WhatsUp but these devices have the same configuration.

I see diferents ouputs when I use show ip flow export, this output is for a router that work well with WhatsUp

RT-INT#show ip flow export

Flow export v9 is enabled for main cache

Export source and destination details :

VRF ID : Default

Source(1) 172.20.126.5 (FastEthernet0/1)

Destination(1) 172.20.0.163 (9999)

Version 9 flow records

125871821 flows exported in 4347959 udp datagrams

0 flows failed due to lack of export packet

0 export packets were sent up to process level

0 export packets were dropped due to no fib

0 export packets were dropped due to adjacency issues

0 export packets were dropped due to fragmentation failures

0 export packets were dropped due to encapsulation fixup failures

Thanks.

Richard Burts · ‎04-22-2012

I do not know that we have enough information yet to really understand the problem or to suggest solutions. But here are a couple of ideas:

- the router that is working has enabled version 9 for NetFlow records while the 3825 has specified version 5. Is WhatsUpGold perhaps expecting version 9 and is not processing version 5 records?

- can you confirm that the 3825 has a valid route to 172.20.0.163 and that packets source from 172.20.126.2 get to it? A simple test for this would be to use extended ping on the 3825 and in the extended ping specify destination address 172.20.0.163 and source address of 172.20.126.2.

- is it possible that there is a firewall or some other device that is filtering traffic on the path between 172.20.126.2 and 172.20.0.163 that could be filtering out the NetFlow packets for some reason?

- could you do some type of packet capture at (or near) the WhatsUpGold server to verify whether the NetFlow from 172.20.126.2 is getting through the network and to the server?

HTH

Rick

HTH

Rick

Adrian Caba Gutierrez · ‎04-23-2012

Thanks Rick, I will try to give a better explanation. In my network I have 3 main devices that I want to monitor the traffic, the switch 4500 and the router 2801 work well with the WhatsUp, my problem is with the router 3825 the WhatsUp don't detect this router but the configurations are similar. There is not problem with the routing I make all tests.

I show the configuration of my router WAN 3825:

version 12.4

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

!

hostname RT-WAN

!

aaa session-id common

clock timezone XXXXX

no network-clock-participate slot 1

no network-clock-participate wic 0

no network-clock-participate wic 1

voice-card 0

no dspfarm

!

voice-card 1

dspfarm

!

ip cef

!

ip flow-cache timeout active 1

ip name-server 172.20.0.11

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

controller E1 0/0/0

clock source internal

channel-group 0 timeslots 1-31

!

controller E1 0/0/1

clock source internal

channel-group 0 timeslots 1-31

!

controller E1 0/1/0

framing NO-CRC4

clock source internal

channel-group 1 timeslots 9-12

channel-group 2 timeslots 1-4

channel-group 3 timeslots 23-30

channel-group 4 timeslots 5-8

channel-group 5 timeslots 13-14

channel-group 6 timeslots 15-16

!

controller E1 0/1/1

!

ip ssh version 2

!

interface Multilink1

bandwidth 256

ip address 172.20.127.29 255.255.255.252

ip flow ingress

ip flow egress

ip authentication mode eigrp 1 md5

ip authentication key-chain eigrp 1 adsdsf

ip tcp header-compression iphc-format

ppp multilink

ppp multilink fragment delay 10

ppp multilink interleave

ppp multilink group 1

ip rtp header-compression iphc-format

!

interface Multilink2

bandwidth 256

ip address 172.20.127.25 255.255.255.252

ip flow ingress

ip flow egress

ip authentication mode eigrp 1 md5

ip authentication key-chain eigrp 1 ansfdinsfa

ip tcp header-compression iphc-format

ppp multilink

ppp multilink fragment delay 10

ppp multilink interleave

ppp multilink group 2

ip rtp header-compression iphc-format

!

interface Multilink3

bandwidth 512

ip address 172.20.127.49 255.255.255.252

ip flow ingress

ip flow egress

ip tcp header-compression iphc-format

ip policy route-map Rsfiverbfded

ppp multilink

ppp multilink fragment delay 10

ppp multilink interleave

ppp multilink group 3

ip rtp header-compression iphc-format

!

interface Multilink4

bandwidth 256

ip address 172.20.127.53 255.255.255.252

ip flow ingress

ip flow egress

ip authentication mode eigrp 1 md5

ip authentication key-chain eigrp 1 fsdsfd

ip tcp header-compression iphc-format

ppp multilink

ppp multilink fragment delay 10

ppp multilink interleave

ppp multilink group 4

ip rtp header-compression iphc-format

!

interface Multilink5

bandwidth 128

ip address 172.20.127.10 255.255.255.252

ip authentication mode eigrp 1 md5

ip authentication key-chain eigrp 1 dgtt

ip tcp header-compression iphc-format

ppp multilink

ppp multilink fragment delay 10

ppp multilink interleave

ppp multilink group 5

ip rtp header-compression iphc-format

!

interface Multilink6

bandwidth 128

ip address 172.20.127.73 255.255.255.252

ip authentication mode eigrp 1 md5

ip authentication key-chain eigrp 1 asdndinfsa

ip tcp header-compression iphc-format

load-interval 30

ppp multilink

ppp multilink fragment delay 10

ppp multilink interleave

ppp multilink group 6

ip rtp header-compression iphc-format

!

interface GigabitEthernet0/0

ip address 172.20.126.2 255.255.255.252

ip flow ingress

ip flow egress

ip route-cache flow

duplex auto

speed auto

media-type sfp

negotiation auto

!

interface GigabitEthernet0/1

ip address 172.20.126.25 255.255.255.248

ip virtual-reassembly

duplex auto

speed auto

media-type rj45

!

interface FastEthernet0/2/0

switchport access vlan 69

spanning-tree portfast

!

interface FastEthernet0/2/1

switchport access vlan 72

duplex half

speed 100

spanning-tree portfast

!

interface FastEthernet0/2/2

switchport access vlan 73

!

interface FastEthernet0/2/3

switchport access vlan 71

!

interface Serial0/0/0:0

bandwidth 2048

ip address 172.20.127.13 255.255.255.252

ip flow ingress

ip flow egress

ip authentication mode eigrp 1 md5

ip authentication key-chain eigrp 1 asfsndifsfna

!

interface Serial0/0/1:0

bandwidth 2048

ip address 172.20.127.1 255.255.255.252

ip flow ingress

ip flow egress

ip authentication mode eigrp 1 md5

ip authentication key-chain eigrp 1 Xzdfdfd

service-policy output srz_rd

!

interface Serial0/1/0:1

bandwidth 256

no ip address

encapsulation ppp

load-interval 30

ppp multilink

ppp multilink group 1

!

interface Serial0/1/0:2

bandwidth 256

no ip address

encapsulation ppp

load-interval 30

ppp multilink

ppp multilink group 2

!

interface Serial0/1/0:3

bandwidth 512

no ip address

encapsulation ppp

ppp multilink

ppp multilink group 3

!

interface Serial0/1/0:4

bandwidth 256

no ip address

encapsulation ppp

load-interval 30

no fair-queue

ppp multilink

ppp multilink group 4

!

interface Serial0/1/0:5

bandwidth 128

no ip address

encapsulation ppp

load-interval 30

ppp multilink

ppp multilink group 5

!

interface Serial0/1/0:6

bandwidth 128

no ip address

encapsulation ppp

load-interval 30

ppp multilink

ppp multilink group 6

!

interface Serial0/3/0

no ip address

shutdown

clock rate 2000000

!

interface Serial0/3/1

no ip address

shutdown

clock rate 2000000

!

interface Vlan1

no ip address

!

interface Vlan69

ip address 172.20.127.69 255.255.255.252

ip flow ingress

ip flow egress

!

interface Vlan70

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Vlan71

ip address 172.20.127.82 255.255.255.248

ip flow ingress

ip flow egress

!

interface Vlan72

ip address 172.20.127.90 255.255.255.248

ip flow ingress

ip flow egress

!

interface Vlan73

description "Rsdfsdfsdfsdfdsa"

ip address 172.20.127.77 255.255.255.252

!

router eigrp 1

redistribute static

redistribute rip metric 10000 100 200 50 1500

network 172.20.126.2 0.0.0.0

network 172.20.126.24 0.0.0.7

network 172.20.127.1 0.0.0.0

network 172.20.127.10 0.0.0.0

network 172.20.127.13 0.0.0.0

network 172.20.127.25 0.0.0.0

network 172.20.127.29 0.0.0.0

network 172.20.127.49 0.0.0.0

network 172.20.127.53 0.0.0.0

network 172.20.127.73 0.0.0.0

network 172.20.127.72 0.0.0.3

network 172.20.127.76 0.0.0.3

network 172.20.127.80 0.0.0.7

network 172.20.127.88 0.0.0.7

no auto-summary

!

ip flow-export source GigabitEthernet0/0

ip flow-export version 5

ip flow-export destination 172.20.0.163 9999

!

route-map sdsdd permit 10

match ip address Rfsfsdfd

set ip next-hop 172.20.126.26

!

tacacs-server host 172.20.0.142

tacacs-server directed-request

tacacs-server key 7 101A071DE343F2D270B081763

!

control-plane

!

end

When I put the command "show ip flow export" the output are differents I don't know why I show the outputs.

This device Router Internet work well:

RT-INT#show ip flow export

Flow export v9 is enabled for main cache

Export source and destination details :

VRF ID : Default

Source(1) 172.20.126.5 (FastEthernet0/1)

Destination(1) 172.20.0.163 (9999)

Version 9 flow records

125871821 flows exported in 4347959 udp datagrams

0 flows failed due to lack of export packet

0 export packets were sent up to process level

0 export packets were dropped due to no fib

0 export packets were dropped due to adjacency issues

0 export packets were dropped due to fragmentation failures

0 export packets were dropped due to encapsulation fixup failures

This device Router WAN isn't working:

RT-SCZ-WAN#show ip flow export

Flow export v9 is enabled for main cache

Exporting flows to 172.20.0.163 (9999)

Exporting using source interface GigabitEthernet0/1

Version 9 flow records

84829213 flows exported in 2874773 udp datagrams

0 flows failed due to lack of export packet

3 export packets were sent up to process level

0 export packets were dropped due to no fib

0 export packets were dropped due to adjacency issues

0 export packets were dropped due to fragmentation failures

0 export packets were dropped due to encapsulation fixup failures

Thanks.

Adrian Caba Gutierrez · ‎04-26-2012

I solve the problem, it was a problem with the server WhatsUpGold.

Thanks.