Ask the Community
Groups
Troubleshooting Netflow - Connect IT Community | Kaseya
<main> <article class="userContent"> <p><strong>QUESTION<br></strong>Netflow does not work. How do I troubleshoot?<br><br><strong>RESOLUTION</strong><br>In order for Traverse to collect NetFlow data, please ensure that:</p> <ul><li>the flow source is configured in Traverse (section 'Configuring NetFlow Collectors' in the User Guide)</li> <li>the device is configured to export flow records to the DGE/DGE extension of the flow type specified in the previous step (section 'Enabling Export of Flow Records' in the User Guide)</li> <li>flow data is arriving at the DGE/DGEx on the correct port from the IP address of the device as provisioned in Traverse (Wireshark may be used for this purpose)</li> <li>the Windows Firewall on the DGE/DGEx is not blocking/discarding the flow data packets<br><br></li> </ul><p>Should there be an issue with a Netflow report in Traverse, kindly follow the steps below.</p> <p><strong>Review the Netflow configuration</strong></p> <p>Log in as superuser and navigate to 'Superuser->Global Config->Netflow Collector' and click on the appropriate Update link. Review the source data and ensure it matches with the configuration on the router. A few things to keep in mind:</p> <p>* The 'Accept from IP Address' is typically the IP address of the device as configured in Traverse.</p> <p>* For netflow-v9, the flow source device must be configured to export template a template record periodically. If the interval is set to 2 minutes, then it will require 2 minutes to begin saving flow data after any restart of the flow collector (Traverse DGE/DGEx) or the flow source (the network device).</p> <p>* The field 'Local Network(s) in CIDR notation' must contain one or more entries, each entry on a separate line. Do not leave empty.</p> <p><strong>Starting and stopping NetFlow Related Components</strong></p> <p><strong>Are multiple instances of the NetFlow Collector running?</strong></p> <p>Typically, the Traverse Service Controller (TSC) is used to stop/start the Flow Analysis Engine and the Simple NetFlow Collector. This in turn stops the Traverse Flow Analysis Engine and Traverse Simple NetFlow Collector Windows services respectively. Stopping the Simple NetFlow Collector Windows service should in turn end the rwflowpack.exe process (the one listening on port 2055).</p> <p>On occasion, the Simple NetFlow Collector Windows service may stop, but rwflowpack process may not. If this happens and you attempt to start the Simple NetFlow Collector from TSC, the following log entries (with debug level) would be observed in %TRAVERSE_HOME%\apps\silk\logs\rwflowpack-20090817.txt:</p> <p>Aug 17 14:54:16 vmdev-pm01-w2k3 rwflowpack[6388]: Forked child 1932. Parent exiting</p> <p>Aug 17 14:54:16 vmdev-pm01-w2k3 rwflowpack[1932]: Failed to bind address: Address already in use</p> <p>Aug 17 14:54:16 vmdev-pm01-w2k3 rwflowpack[1932]: Could not create PDU Reader for 'S0' on 0.0.0.0:2055</p> <p>Aug 17 14:54:16 vmdev-pm01-w2k3 rwflowpack[1932]: Unable to start flow processor #1 for PDU Reader</p> <p>Aug 17 14:54:16 vmdev-pm01-w2k3 rwflowpack[1932]: Unable to start flow processor</p> <p>Aug 17 14:54:16 vmdev-pm01-w2k3 rwflowpack[1932]: Stopped logging.</p> <p>The resolution is to kill the rwflowpack process from the Windows Task Manager and then start the Simple NetFlow Collector from the TSC.</p> <p><strong>Ensure Firewall And/Or Anti-Virus software is turned off</strong></p> <p>Any Firewall/Anti-Virus software must allow incoming UDP packets on the configured port (e.g. 2055) from the router. Either configure the Firewall/Anti-Virus software to permit the UDP traffic on the appropriate port. For troubleshooting purposes, you may turn off the Firewall/Anti-Virus software altogether.</p> <p><br><strong>Is Traverse receiving NetFlow data?</strong></p> <p>Under %TRAVERSE_HOME%\apps\silk\data, some or all of the following directories may be present:</p> <p>ext2ext</p> <p>in</p> <p>int2int</p> <p>inweb</p> <p>out</p> <p>outweb</p> <p>Under each of these, you should see a hierarchy by year, month and day, such as: %TRAVERSE_HOME%\apps\silk\data\ext2ext\2009\08\17</p> <p>At the innermost level, you should see files such as</p> <p>ext2ext-S0_20090817.20</p> <p>ext2ext-S0_20090817.21</p> <p>If none of the directories/files listed above are present, it would indicate that Traverse is not saving flow data from the router. In that case, please revisit and ensure that the configuration on Traverse and on the router is correct.</p> <p><strong>Is Traverse listening on the configured port?</strong></p> <p>To ensure that the Traverse DGE is listening on the correct port (2055, typically), run the following command from the command line. The resulting output also is shown below.</p> <p>%TRAVERSE_HOME%\apps\silk\sbin>netstat -ano | findstr 2055</p> <p> UDP 0.0.0.0:2055 *:* 8040</p> <p> </p> <p><strong>To collect diagnostic information for Traverse Support:</strong> </p> <ul><li>Enable verbose logging within the flow data extraction script on the Traverse server running the Flow Collector (DGE or DGEx) by removing any leading '#' characters from before the 'DEBUG' flag in 'TRAVERSE_HOME\plugin\monitors\silk-topn.conf':</li> </ul><pre class="code codeBlock" spellcheck="false" tabindex="0">$DEBUG = 1;</pre> <ul><li>Note the 'rwfilter' command in TRAVERSE_HOME\logs\silk-topn.log that extracts the data for presentation on the report. For example;</li> </ul><pre class="code codeBlock" spellcheck="false" tabindex="0">C:\Program Files (x86)\Traverse\logs>tail -f silk-topn.log DEBUG: verified 'silk' directory at C:\Program Files (x86)\Traverse/apps/silk/bin Fri Feb 6 18:58:37 2015 [silk-topn]: (DEBUG) verified 'silk' directory at C:\Program Files (x86)\Traverse/apps/silk/bin DEBUG: request: TOPN C:\Windows\temp\TOPNa04744 10.10.12.253:__all__:__all__ __all__ __all__ __all__ __all__ __all__ 20150207005832 20150207 025832 top 10 bytes client Fri Feb 6 18:58:37 2015 [silk-topn]: (DEBUG) request: TOPN C:\Windows\temp\TOPNa04744 10.10.12.253:__all__:__all__ __all__ __all__ __all__ __all__ __all__ 20150207005832 20150207025832 top 10 bytes client DEBUG: loading map of sensor id to ip address Fri Feb 6 18:58:37 2015 [silk-topn]: (DEBUG) loading map of sensor id to ip address DEBUG: sensor #0 => 10.10.12.253 Fri Feb 6 18:58:37 2015 [silk-topn]: (DEBUG) sensor #0 => 10.10.12.253 DEBUG: source ip = __all__ Fri Feb 6 18:58:37 2015 [silk-topn]: (DEBUG) source ip = __all__ DEBUG: requesting information from silk ... Fri Feb 6 18:58:37 2015 [silk-topn]: (DEBUG) requesting information from silk ... DEBUG: running command: "C:\Program Files (x86)\Traverse/apps/silk/bin\rwfilter" --data-rootdir=/tvsilk/data --not-any-addr=0.0.0.0 --type= all --threads=4 --compression-method=none --pass=stdout --ip-version=4 --sensor=S10.10.12.253 --proto=6,17 --start-date=2015/02/07:00 --end- date=2015/02/07:02 2>C:\Windows\temp\TOPNa04744.rwf | "C:\Program Files (x86)\Traverse/apps/silk/bin\rwstats" --output-path=C:\Windows\temp\ TOPNa04744.tmp --no-titles --no-columns --top --bytes --count=10 --fields=dIP Fri Feb 6 18:58:37 2015 [silk-topn]: (DEBUG) running command: "C:\Program Files (x86)\Traverse/apps/silk/bin\rwfilter" --data-rootdir=/tvs ilk/data --not-any-addr=0.0.0.0 --type=all --threads=4 --compression-method=none --pass=stdout --ip-version=4 --sensor=S10.10.12.253 --proto =6,17 --start-date=2015/02/07:00 --end-date=2015/02/07:02 2>C:\Windows\temp\TOPNa04744.rwf | "C:\Program Files (x86)\Traverse/apps/silk/bin\ rwstats" --output-path=C:\Windows\temp\TOPNa04744.tmp --no-titles --no-columns --top --bytes --count=10 --fields=dIP DEBUG: return code: 1 Fri Feb 6 18:58:38 2015 [silk-topn]: (DEBUG) return code: 1 </pre> <ul><li>Attach a copy of 'silk-topn.log' to your ticket for analysis</li> </ul><p><strong><br>APPLIES TO<br></strong>All Traverse versions<br><br><strong>REFERENCE</strong><br>-</p> </article> </main>