Troubleshooting Netflow - Connect IT Community

/* * These styles apply ONLY to the header and footer assets. */ * { padding: 0; margin: 0; box-sizing: border-box; } .super-nav { display: flex; justify-content: flex-end; align-items: center; margin: 0 auto; max-width: 1264px; padding-left: 40px; padding-right: 40px; height: 40px; text-align: right; } .super-nav a { color: #34427c; margin-right: 20px; padding: 10px; text-decoration: none; } .super-nav a:hover, .super-nav a:focus { background-color: #f7f9fa; } .footer { background: #f5f5f6; color: #555a62; font-size: 14px; line-height: 1.5; padding: 0; } .footer-image { background-image: url("/themes/kaseya/assets/images/footerImage.png"); height: 500px; background-repeat: no-repeat; background-size: cover; margin-top: -100px; } .footer-wrap { padding-left: 18px; padding-right: 18px; max-width: 1236px; margin: 0 auto; } .footer-main-content { background-color: #000; padding: 100px 0; } .footer .footer-col-title { color: #ffffff; font-weight: 700; font-size: 13px; padding-bottom: 10px; text-transform: uppercase; } .footer .footer-link { color: #9b9ca0; text-decoration: none; } .footer .footer-link:hover, .footer .footer-link:focus, .footer .footer-link:active { text-decoration: underline; } .footer-main-content .footer-link { padding-top: 10px; } .footer-row { display: flex; flex-wrap: wrap; justify-content: space-between; align-items: center; margin: -3px; } .footer-main-content-row { align-items: flex-start; } .footer-bottom-content { padding: 10px; align-items: center; } .footer-col { padding: 0 3px; display: flex; flex-direction: column; } .footer-col-copyRight { justify-content: flex-start; color: #9b9ca0; flex: 1; display: flex; } .footer-last-col { flex-direction: row; } .footer-last-col .footer-link { padding-right: 10px; text-transform: uppercase; } @media screen and (max-width: 768px) { .super-nav { padding-right: 0; } .footer-image { height: 250px; } .footer-main-content { padding: 40px 0; } .footer .footer-col-title { padding-top: 10px; } .footer-row:not(.footer-main-content-row) { display: block; } .footer-col:not(.footer-main-content-col) { width: 100%; text-align: center; padding: 10px 0; } .footer-main-content-col { width: 50%; } .footer-last-col { flex-direction: column; } .footer-last-col .footer-link { padding-bottom: 10px; } } /*# sourceMappingURL=styles.css.map */ Ask the Community Groups

Troubleshooting Netflow - Connect IT Community | Kaseya

QUESTION
Netflow does not work. How do I troubleshoot?

RESOLUTION
In order for Traverse to collect NetFlow data, please ensure that:

the flow source is configured in Traverse (section 'Configuring NetFlow Collectors' in the User Guide)
the device is configured to export flow records to the DGE/DGE extension of the flow type specified in the previous step (section 'Enabling Export of Flow Records' in the User Guide)
flow data is arriving at the DGE/DGEx on the correct port from the IP address of the device as provisioned in Traverse (Wireshark may be used for this purpose)
the Windows Firewall on the DGE/DGEx is not blocking/discarding the flow data packets

Should there be an issue with a Netflow report in Traverse, kindly follow the steps below.

Review the Netflow configuration

Log in as superuser and navigate to 'Superuser->Global Config->Netflow Collector' and click on the appropriate Update link. Review the source data and ensure it matches with the configuration on the router. A few things to keep in mind:

* The 'Accept from IP Address' is typically the IP address of the device as configured in Traverse.

* For netflow-v9, the flow source device must be configured to export template a template record periodically. If the interval is set to 2 minutes, then it will require 2 minutes to begin saving flow data after any restart of the flow collector (Traverse DGE/DGEx) or the flow source (the network device).

* The field 'Local Network(s) in CIDR notation' must contain one or more entries, each entry on a separate line. Do not leave empty.

Starting and stopping NetFlow Related Components

Are multiple instances of the NetFlow Collector running?

Typically, the Traverse Service Controller (TSC) is used to stop/start the Flow Analysis Engine and the Simple NetFlow Collector. This in turn stops the Traverse Flow Analysis Engine and Traverse Simple NetFlow Collector Windows services respectively. Stopping the Simple NetFlow Collector Windows service should in turn end the rwflowpack.exe process (the one listening on port 2055).

On occasion, the Simple NetFlow Collector Windows service may stop, but rwflowpack process may not. If this happens and you attempt to start the Simple NetFlow Collector from TSC, the following log entries (with debug level) would be observed in %TRAVERSE_HOME%\apps\silk\logs\rwflowpack-20090817.txt:

Aug 17 14:54:16 vmdev-pm01-w2k3 rwflowpack[6388]: Forked child 1932. Parent exiting

Aug 17 14:54:16 vmdev-pm01-w2k3 rwflowpack[1932]: Failed to bind address: Address already in use

Aug 17 14:54:16 vmdev-pm01-w2k3 rwflowpack[1932]: Could not create PDU Reader for 'S0' on 0.0.0.0:2055

Aug 17 14:54:16 vmdev-pm01-w2k3 rwflowpack[1932]: Unable to start flow processor #1 for PDU Reader

Aug 17 14:54:16 vmdev-pm01-w2k3 rwflowpack[1932]: Unable to start flow processor

Aug 17 14:54:16 vmdev-pm01-w2k3 rwflowpack[1932]: Stopped logging.

The resolution is to kill the rwflowpack process from the Windows Task Manager and then start the Simple NetFlow Collector from the TSC.

Ensure Firewall And/Or Anti-Virus software is turned off

Any Firewall/Anti-Virus software must allow incoming UDP packets on the configured port (e.g. 2055) from the router. Either configure the Firewall/Anti-Virus software to permit the UDP traffic on the appropriate port. For troubleshooting purposes, you may turn off the Firewall/Anti-Virus software altogether.

Is Traverse receiving NetFlow data?

Under %TRAVERSE_HOME%\apps\silk\data, some or all of the following directories may be present:

ext2ext

int2int

inweb

out

outweb

Under each of these, you should see a hierarchy by year, month and day, such as: %TRAVERSE_HOME%\apps\silk\data\ext2ext\2009\08\17

At the innermost level, you should see files such as

ext2ext-S0_20090817.20

ext2ext-S0_20090817.21

If none of the directories/files listed above are present, it would indicate that Traverse is not saving flow data from the router. In that case, please revisit and ensure that the configuration on Traverse and on the router is correct.

Is Traverse listening on the configured port?

To ensure that the Traverse DGE is listening on the correct port (2055, typically), run the following command from the command line. The resulting output also is shown below.

%TRAVERSE_HOME%\apps\silk\sbin>netstat -ano | findstr 2055

UDP 0.0.0.0:2055 *:* 8040

To collect diagnostic information for Traverse Support:

Enable verbose logging within the flow data extraction script on the Traverse server running the Flow Collector (DGE or DGEx) by removing any leading '#' characters from before the 'DEBUG' flag in 'TRAVERSE_HOME\plugin\monitors\silk-topn.conf':

$DEBUG = 1;

Note the 'rwfilter' command in TRAVERSE_HOME\logs\silk-topn.log that extracts the data for presentation on the report. For example;

C:\Program Files (x86)\Traverse\logs>tail -f silk-topn.log
DEBUG: verified 'silk' directory at C:\Program Files (x86)\Traverse/apps/silk/bin
Fri Feb  6 18:58:37 2015 [silk-topn]: (DEBUG) verified 'silk' directory at C:\Program Files (x86)\Traverse/apps/silk/bin
DEBUG: request: TOPN C:\Windows\temp\TOPNa04744 10.10.12.253:__all__:__all__ __all__ __all__ __all__ __all__ __all__ 20150207005832 20150207
025832 top 10 bytes client
Fri Feb  6 18:58:37 2015 [silk-topn]: (DEBUG) request: TOPN C:\Windows\temp\TOPNa04744 10.10.12.253:__all__:__all__ __all__ __all__ __all__
__all__ __all__ 20150207005832 20150207025832 top 10 bytes client
DEBUG: loading map of sensor id to ip address
Fri Feb  6 18:58:37 2015 [silk-topn]: (DEBUG) loading map of sensor id to ip address
DEBUG:  sensor #0 => 10.10.12.253
Fri Feb  6 18:58:37 2015 [silk-topn]: (DEBUG)   sensor #0 => 10.10.12.253
DEBUG: source ip = __all__
Fri Feb  6 18:58:37 2015 [silk-topn]: (DEBUG) source ip = __all__
DEBUG: requesting information from silk ...
Fri Feb  6 18:58:37 2015 [silk-topn]: (DEBUG) requesting information from silk ...
DEBUG: running command: "C:\Program Files (x86)\Traverse/apps/silk/bin\rwfilter"  --data-rootdir=/tvsilk/data --not-any-addr=0.0.0.0 --type=
all --threads=4 --compression-method=none --pass=stdout --ip-version=4 --sensor=S10.10.12.253 --proto=6,17 --start-date=2015/02/07:00 --end-
date=2015/02/07:02 2>C:\Windows\temp\TOPNa04744.rwf | "C:\Program Files (x86)\Traverse/apps/silk/bin\rwstats" --output-path=C:\Windows\temp\
TOPNa04744.tmp --no-titles --no-columns --top --bytes --count=10 --fields=dIP
Fri Feb  6 18:58:37 2015 [silk-topn]: (DEBUG) running command: "C:\Program Files (x86)\Traverse/apps/silk/bin\rwfilter"  --data-rootdir=/tvs
ilk/data --not-any-addr=0.0.0.0 --type=all --threads=4 --compression-method=none --pass=stdout --ip-version=4 --sensor=S10.10.12.253 --proto
=6,17 --start-date=2015/02/07:00 --end-date=2015/02/07:02 2>C:\Windows\temp\TOPNa04744.rwf | "C:\Program Files (x86)\Traverse/apps/silk/bin\
rwstats" --output-path=C:\Windows\temp\TOPNa04744.tmp --no-titles --no-columns --top --bytes --count=10 --fields=dIP
DEBUG: return code: 1
Fri Feb  6 18:58:38 2015 [silk-topn]: (DEBUG) return code: 1

Attach a copy of 'silk-topn.log' to your ticket for analysis

APPLIES TO
All Traverse versions

REFERENCE
-