config OK but no flows on Scrutinizer

[shadowman724]

Hi,
I correctly configured a PPP interface and a frame-relay subinterface to send netflow data to Scrutinizer server. However, I get grey lines on the Device Details submenu, and they do not show in the Status board.
any idea?

[BenjaminM]

Hello shadowman724,

Are the gray lines your referring to the direction of flow? If you click the "include hidden" button will it show interfaces that have a direction?

To double check the flows the server, you can download an application Wireshark. It will allow you to see the packets that are coming into the server at the nic level.

Thanks,
Ben

[shadowman724]

Hello shadowman724,

Are the gray lines your referring to the direction of flow? If you click the "include hidden" button will it show interfaces that have a direction?

To double check the flows the server, you can download an application Wireshark. It will allow you to see the packets that are coming into the server at the nic level.

Thanks,
Ben

On Status -> Device Explorer -> click on device -> Device Details, there are entries in white background (they correpond the the monitored interfaces) and entries in light grey. I'm referring to the interfaces with light green background. and by the way, they are not hidden. So Scrutinizer is not able to gather flows from these interfaces, although netflow configuration is the same as other working interfaces.

[BenjaminM]

Hello shadowman724,

Can you send me a screen capture of this?

Thanks,
Ben

[shadowman724]

Hi Benjamin,
I attached a screen capture. Please feel free to ask for any other information that could help fix the issue.

[BenjaminM]

Hello shadowman724,

Does the interface "Connexion LaPos..." show up in Wireshark? This will tell us if the interface data is getting to the server.

Thanks,
Ben

[shadowman724]

I see netflow traffic being sent from router to Scrutinizer. But how can I tell if the packets correspond to the desired interface or not? I'm asking this question because there are a couple of other interfaces that send flow too.

[shadowman724]

Hello shadowman724,

Does the interface "Connexion LaPos..." show up in Wireshark? This will tell us if the interface data is getting to the server.

Thanks,
Ben

I see a few flows coming on Wireshark. But how can we confirm that they correspond to the interface we'd like to monitor?

[BenjaminM]

Hi shadowman724,

The inputint of the interface was 29. If you find a random flow and find the inputint under Cisco NetFlow/IPFIX>FlowSet>Flow1. Apply it as a filter and look for the device that is sending that interface.

Also keep in mind to right click the netflow packets and select 'Decode As..." and select CFLOW.

Thanks,
Ben

[shadowman724]

First, thanks for the screenshot
I can see there are flows. But when I make the correspondance between interface-index and wireshark captures, there are no flows that match the interface I'd like to monitor. There are repeated entries that match the same interfaces over and over. Does it mean that there is no traffic on the interface I want to monitor?

[pauld]

Hi shadowman724,

If you're certain that there is traffic going over the interface you're trying to monitor with NetFlow and you're not seeing it in Wireshark, then it sounds like the interface hasn't been configured correctly for NetFlow.

What type of device are you trying to configure?

Can you send me your NetFlow and interface configuration?

- Paul

[shadowman724]

Hi,
Device is Cisco 3925. Here is the netflow and interface config:

ip flow-cache timeout active 1
ip flow-export source GigabitEthernet0/0.1
ip flow-export version 9
ip flow-export destination 172.16.10.242 9997 <-- netflow server on which we did wireshark captures
!
interface Serial0/0/2
description --- LS Laposte ---
ip address xxxx xxxx
ip flow ingress
ip flow egress
encapsulation ppp
no cdp enable


TNRTEXCS01A1#sh ip flow export
Flow export v9 is enabled for main cache
Export source and destination details :
VRF ID : Default
Source(1) 172.16.3.253 (GigabitEthernet0/0.1)
Destination(1) 172.16.10.242 (9997)
Version 9 flow records
71683949 flows exported in 2490227 udp datagrams
0 flows failed due to lack of export packet
0 export packets were sent up to process level
0 export packets were dropped due to no fib
0 export packets were dropped due to adjacency issues
0 export packets were dropped due to fragmentation failures
0 export packets were dropped due to encapsulation fixup failures

[pauld]

Hi Shadowman724,

From one of your earlier screen shots I see a lot of sub interfaces, but you sent me the config for the physical interface -- The config you sent me does not monitor any sub interfaces on s0/0/2.

Do you have the "ip flow ingress" statement on the sub interfaces that you're looking to monitor?

- Paul

[shadowman724]

Paul,
I'm trying to monitor netflow on both the PPP interface and on subinterfaces.

Here is the configuration:

interface Serial0/0/2
description --- LS ---
ip address xxxx xxxx
ip flow ingress
ip flow egress
encapsulation ppp
no cdp enable
!

interface Serial0/0/0.21 point-to-point
description ********** backup **********
ip address xxxx xxxx
ip flow ingress
ip flow egress
no cdp enable
frame-relay interface-dlci 21
end

but in Scrutinizer, the interfaces appear greyed (plase look at the screenshot)

[scottr]

Hello,

Can you do a "show ip cache flow" command on the router, to check if we are indeed seeing flows from this interface.

Scott