Quantcast
Channel: THWACK: Discussion List - NetFlow Traffic Analyzer
Viewing all 1535 articles
Browse latest View live

Netflow on Meraki

November 6, 2015, 5:38 am
$
0
0

Hello!

 

We have some Meraki MX64 appliances in our network and wanted to monitor Netflow from these devices. However, we encountered some errors with regards to the V9 template, and found out the reason in the Meraki documentation below:

 

NetFlow Overview - Cisco Meraki

 

"SolarWinds NTA ignores Netflow packets that do not contain either an SNMP ingress or egress interface index. The MX and Z1 do not support exporting an SNMP ingress or egress interface index via NetFlow."

 

Is there currently a workaround for this? Is this being considered on the road map for NTA or are we on Meraki's mercy?

 

Thanks in advance.

 

Paulo

Search

The SolarWinds NetFlow Storage Service service terminated unexpectedly.

November 5, 2015, 9:13 am
$
0
0

After migrating the NTA Flow database to a new, dedicated DB server, I am unable to get the NetFlow Storage Service to stay running. The service starts, but within a few seconds this error is generated.

 

"The SolarWinds NetFlow Storage Service service terminated unexpectedly.  It has done this X time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service."

 

I also see these errors in the FastBitServerService log file:

 

"ERROR SolarWinds.Netflow.FastBit.Server.Service.FastBitService - Error while starting service.

ICSharpCode.SharpZipLib.SharpZipBaseException: Unexpected EOF"

 

"ERROR SolarWinds.Netflow.FastBit.Server.Service.Program - NetFlowService will be abnormally terminated - UnhandledException was caught : ICSharpCode.SharpZipLib.SharpZipBaseException: Unexpected EOF"

 

"ERROR SolarWinds.Netflow.FastBit.Server.Service.Program - Unhandled exception: Message: Unexpected EOF"

 

If I change the location of the Flow database to an empty folder and let it create a blank DB, the service starts without issue.

 

I am running NTA version 4.0.2620.0, which is the same as the server I migrated from.

 

Thanks in advance for your help!

Exporting historical Netflow data to Excel - Is it possible?

November 9, 2015, 7:56 am
$
0
0

I'm trying to export some historical Netflow traffic data in a way that will allow me to put it into Excel so I can graph it against some other, non-Orion data. Specifically, I'm trying to graph all traffic (preferably in bps) that went out a netflow-enabled interface over a specific TCP port over the last 24 hours.

 

For instance, if I wanted to get data on ALL traffic traversing an interface over time, I can go to the interface detail page and open the "average bps" interface chart, which brings me to a page like this:

 

swo_1.png

 

Which allows me to export that data to Excel, in 5 or 10 minute intervals. I can then easily paste that into an excel graph and compare it against my "number of connections over time" data.

 

I would really like to be able to do something like this for data that's sourced from Netflow graphs. Here is the graph I'm trying to get into Excel format:

 

swo_2.png

 

I've tried a number of ways of graphing this using the Web Reporting features, but so far nothing I've tried has given me the option to export my data to an Excel format. Is this possible, or am I out of luck?

IOS-XE Netflow Config to NTA?

August 31, 2015, 6:39 am
$
0
0

Hi Everyone,

 

I'm having some trouble getting new Cisco 4331 routers sending netflow to NTA.  Can anyone take a look at my config and see if you see anything obviously wrong, or offer any tips/pointers?  These are outside edge Internet routers, with a management interface with VRF having a private IP.  The flow traffic should be coming from an inband interface, Gi0/0/01.10.  My firewalls are configured to allow UDP 2055 to flow from the outside source to a NAT to the NTA. 

 

Thanks.

 

EdgeRouter1#sh run | s flow

flow record ipv4

match ipv4 protocol

match ipv4 source address

match ipv4 destination address

match transport source-port

match transport destination-port

match interface input

collect interface output

collect counter bytes

collect counter packets

flow exporter NetFlow-to-Orion

destination X.Y.Z.149

source GigabitEthernet0/0/1.10

transport udp 2055

flow monitor Orion-NetFlow-Monitor

description Original Netflow captures

exporter NetFlow-to-Orion

cache timeout inactive 10

cache timeout active 5

record ipv4

ip flow monitor Orion-NetFlow-Monitor input

ip flow monitor Orion-NetFlow-Monitor input

ip flow monitor Orion-NetFlow-Monitor input

alias exec shflow show flow mon name Orion-NetFlow-Monitor cache

EdgeRouter1#

 

EdgeRouter1#sh run | i interface|flow

interface GigabitEthernet0/0/0

ip flow monitor Orion-NetFlow-Monitor input

interface GigabitEthernet0/0/1

interface GigabitEthernet0/0/1.10

ip flow monitor Orion-NetFlow-Monitor input

interface GigabitEthernet0/0/1.192

ip flow monitor Orion-NetFlow-Monitor input

 

EdgeRouter1#sh ver

Cisco IOS XE Software, Version 03.13.02.S - Extended Support Release

Cisco IOS Software, ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.4(3)S2, RELEASE SOFTWARE (fc3)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2015 by Cisco Systems, Inc.

Compiled Fri 30-Jan-15 15:19 by mcpre

 

 

 

 

ROM: IOS-XE ROMMON

 

 

EdgeRouter1 uptime is 14 weeks, 5 days, 42 minutes

Uptime for this control processor is 14 weeks, 5 days, 43 minutes

System returned to ROM by reload

System restarted at 08:50:36 EDT Wed May 20 2015

System image file is "bootflash:/isr4300-universalk9.03.13.02.S.154-3.S2-ext.SPA.bin"

Last reload reason: PowerOn

 

 

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

 

 

If you require further assistance please contact us by sending email to

export@cisco.com.

 

 

 

NTA 3.11 and SQL 2014 in compatibility mode SQL 2012

November 12, 2015, 12:24 pm
$
0
0

I'm running NTA 3.11 and my existing database is SQL 2008 R3.  Both will be upgraded to NTA 4.1 and SQL 2014, respectively.  I would like recommendations on the upgrade order.

 

The DBA team wants to upgrade my database to SQL 2014.  NTA 3.11 doesn't support SQL 2014 so they suggested install SQL 2014 but run in SQL 2012 compatibility mode.

 

1) Does NTA 3.11 support running SQL 2014 in SQL 2012 compatibility mode?

2) Should I upgrade NTA 3.11 to NTA 4.1 first, then upgrade SQL 2008 to SQL 2014 and not worry about compatibility modes?

SWQL queries - Where is InterfaceID?

November 13, 2015, 10:55 am
$
0
0

I'm trying to run an SWQL query on Historical Netflow Flows in the form of:

 

 

SELECT

               [data].[ObservationTimestamp],

               [data].[Node].[NodeID] AS [NodeID],

               .... etc

FROM

               Orion.Netflow.Flows AS data

 

 

My question is, how can I specify an individual device interface as opposed to a node?

 

Nodes are:               [data].[Node].[NodeID]

Interfaces are:           what?

 

More generally, where can I find these tables or whatever they are? There is no "Netflow" table in the "Orion" database. Does this exist in the NTA database and is somehow just referenced by SWQL queries?

 

Bonus question: Is there documentation anywhere about how SWQL functions such as ToLocal() work?

NTA Track Streaming Video users

October 14, 2015, 2:49 pm
$
0
0

Hi guys,

I currently have the most recent version of NTA. We have some DVR's on our network. I would like to be able to track users who are streaming video from the DVR using NTA. Is this possible, can someone please help me iron this out.

Thanks a lot.

Internet utilization reporting

November 16, 2015, 1:43 pm
$
0
0

Our IT Security team is asking for reporting on our current Internet utilization. They want to know SRC/DEST IP and port information for all outbound and inbound Internet traffic. Is there any way that I can generate a report from NTA to give me this data? I noticed that there is already a pre-defined report that gives Top 100 Conversations including Application. This is EXACTLY what I am looking for, but it only displays internal communication. How can I tune it to show Internet traffic?

Search

Getting Started with NTA

November 13, 2015, 11:15 am
$
0
0

Here is my initial ASR1004 Configuration for Netflow.

 

flow record SW-NTA

   match ipv4 protocol

   match ipv4 source address

   match ipv4 destination address

   match transport source-poort

   match transport destination-port

   match interface input

   match interface input snmp

   match interface output snmp

   collect itnerface output

   collect counter bytes

   collect counter packetes

 

flow exporter Solarwinds-1

   description Export flows to Solarwinds NTA

   destination 10.10.10.58    ------> Solarwinds Server

   transport udp 2055

 

flow monitor FLOW-MONITOR-SW

   exporter Solarwinds-1

   cache timeout inactive 10

   cache timeout active 5

   record SW-NTA

 

 

Interface GigabitEthernet0/0/0

   ip flow monitor FLOW-MONITOR-SW input

   ip flow monitor FLOW-MONITOR-SW output

 

 

On my Solarwinds Server - NTA Section

 

Netflow Source Box

Device and Interface have been selected.

 

 

Not sure where to go from here to start to recieve flow information.  Still digging on community posts.

Install NTA APP Separated from NPM

November 20, 2015, 12:18 pm
$
0
0

Hi.

 

¿Can i Install the NTA APP in a standalone server? and the Flow Database in another? this is because i already have NPM + SAM in the same server with FoE licensed for only 2 products in the same server ¿What happen if i add NTA to this combo with the FoE Licensing?

 

Thanks in advance

NetFlow Collector Services Receiver Status Down Collection Port 2055.

June 10, 2008, 11:15 am
$
0
0

Running NetFlow Traffic Analyer Version 3.0.  Noticed in WebPage that Receiver Status is down. 

Is this refering to the service "SolarWinds NetFlow Service"?  Or is receiver referring to something else.
The SolarWinds NetFlow Service is running, not sure how to enable Receiver...
 

 Thanks!
 

Netflow alerts?

May 7, 2015, 11:33 am
$
0
0

I would like to create an alert on netflow data when traffic to specific countries is detected.

 

Is this currently possible in any version of NTA?

Can you monitor Nexus 9K using NTA

November 24, 2015, 7:54 am
$
0
0

Is it possible to monitor traffic with NTA on a Cisco Nexus 9000?  Ive found info on a Cisco forum which states Netflow is not supported.  Is there any workaround for this type of device?

 

Heres some info about my device...

9372-100# sh ver

Cisco Nexus Operating System (NX-OS) Software

 

Software

  BIOS: version 07.17

  NXOS: version 6.1(2)I3(3a)

  NXOS image file is: bootflash:///n9000-dk9.6.1.2.I3.3a.bin

 

Hardware

  cisco Nexus9000 C9372PX chassis

  Intel(R) Core(TM) i3-3227U C with 16402544 kB of memory.

  Processor Board ID SAL19089Z7N

plugin

  Core Plugin, Ethernet Plugin

Netflow configuration - ingress vs egress

November 24, 2015, 2:35 pm
$
0
0

So, I've tried to wade through the documentation on cisco.com and solarwinds but could use some help figuring how to setup netflow v9 for my monitoring needs. I'm particularly interested in the pros and cons of ingress vs egress capturing or whether I should do both. I have two main data center locations and 7 branch locations that talk over mpls WAN. The previous admin had it setup "ip flow ingress" on the LAN ports (including subinterfaces) of the cisco routers with nothing on the WAN interfaces. Wouldn't it make more sense to collect both directions (ip flow ingress and ip flow egress) on the WAN interface since as I read it is after WAAS (WAN compression).

 

Any reason this is a bad idea?

It makes sense to capture both ingress and egress, right?

 

I appreciate any input or expertise.

Flexible netflow from L2 (unrouted) VLAN

November 26, 2015, 9:08 am
$
0
0

Is it possible to configure flexible netflow (Catalyst 6509, sup32) getting data from unrouted VLAN?

 

(I bet there's a command line for that, but as usual, Cisco manuals are not explaining command the best possible way. As usual, if you know the command and read explanation after that, it seems very clear...)

 

My configuration:


flow record SETTINGS

match datalink vlan input

match ipv4 version

match ipv4 tos

match ipv4 protocol

match ipv4 source address

match ipv4 destination address

match transport source-port

match transport destination-port

match interface input

match flow direction

collect interface output

collect counter bytes

collect counter packets

!

!

flow exporter EXPORT1

destination 192.168.77.77

source Vlan1

transport udp 9996

template data timeout 60

!

!

flow monitor MONITOR1

record SETTINGS

exporter EXPORT1

cache timeout active 1

Search

Netflow Nexus 7k showing up with inaccurate utilization!

November 27, 2015, 1:52 pm
$
0
0

Hi Thwack,

 

Has anyone experienced an issue within NTA, where the flow is representing at a much lower value because we are only capturing 1-100 of a sample. As per our Network Guru, we are not able to do 1-1 sampling as the CPU will be over taxed. We are currently only sampling Layer 3 traffic before adding additional Vlans I would like to knw if their is way to possibly change the value in NTA to represent the actual utilization or config changes I can make? For example we show  6.0kbps but this is actually 600Mbs of traffic.

 

Flow exporter NetFlow-Orion:

    Destination: (orion poller..)

    VRF: management (1)

    Destination UDP Port 2055

    Source Interface mgmt0 (mgmt ip)

    Export Version 9

        Data template timeout 60 seconds

    Exporter Statistics

        Number of Flow Records Exported 121193

        Number of Templates Exported 921

        Number of Export Packets Sent 6645

        Number of Export Bytes Sent 6491100

        Number of Destination Unreachable Events 0

        Number of No Buffer Events 0

        Number of Packets Dropped (No Route to Host) 0

        Number of Packets Dropped (other) 0

        Number of Packets Dropped (LC to RP Error) 0

        Number of Packets Dropped (Output Drops) 0

        Time statistics were last cleared: Fri Nov 27 16:45:39 2015

 

Flow record netflow-original:

    Description: Traditional IPv4 input NetFlow with origin ASs

    No. of users: 1

    Template ID: 256

    Fields:

        match ipv4 source address

        match ipv4 destination address

        match ip protocol

        match ip tos

        match transport source-port

        match transport destination-port

        match interface input

        match interface output

        match flow direction

        collect routing source as

        collect routing destination as

        collect routing next-hop address ipv4

        collect transport tcp flags

        collect counter bytes

        collect counter packets

        collect timestamp sys-uptime first

        collect timestamp sys-uptime last

 

# sh run | i flow

feature netflow

flow timeout 30

flow timeout active 60

flow timeout inactive 30

flow exporter NetFlow-Orion

flow exporter MK-PRTG

sampler netflow-v9

flow monitor flowmon-v9

  record netflow-original

  ip flow monitor flowmon-v9 input sampler netflow-v9

 

Thank you

Cisco 2960 Switch

November 30, 2015, 4:44 am
$
0
0

Hi Guys,

 

I am working to propose a network monitoring solution for the company. I had chosen solarwinds NTA and NPM and configured on one of the servers. But since the devices here in our premises were non netflow devices, i was not getting the results what i was expecting. So i used nprobe a third party tool to fetch information which ended up as a failure. Our company has decided to buy a new switch for netflow that is within the budget and serves the purpose. Could someone help me to validate the compatibility of Cisco 2960 switch with Solarwinds. I read it provides netflow-lite reporting and netflow-lite is supported in solarwinds NTA. Any help in this matter is appreciated.

 

Kind Regards,

Gaurav

L3 Netflow from Nexus

November 30, 2015, 8:01 am
$
0
0

I am trying to get Layer 3 netflow working from a nexus 7706 running 6.2(10). I have tried using version 9, specifying a source interface, and creating a custom flow recorder and nothing seems to work. My configurations are as follows Thank you.

 

flow timeout active 60

flow exporter Netflow-Exporter-Prod

  description Production-Netflow-Exporter

  destination {NTA IP Address}

  transport udp 2055

  version 5

ip sla responder

sampler NF-Sampler-Prod

  description Netflow-Prod-Sampler

  mode 1 out-of 1000

flow monitor Netflow-Monitor-Prod

  description Use Predefined "Original-Netflow-Record"

  record netflow-original

  exporter Netflow-Exporter-Prod

 

 

interface Vlan918

  ip flow monitor Netflow-Monitor-Prod input sampler NF-Sampler-Prod

  ip address IP Address/30

  ip directed-broadcast WOL

  ip ospf authentication message-digest

  ip ospf message-digest-key 1 md5 7 03405803565F0D

  ip router ospf 1 area 0.0.0.100

  ip pim sparse-mode

  description AS-P2P to CC106-MDF-sw01

  no shutdown

Bulk add SNMPv3 nodes in NetFlow analyzer

November 30, 2015, 12:03 pm
$
0
0

I have about 150 Cisco routers.

 

I plan to push out the same SNMPv3 config (authentication and encryption) to all the routers with the same credentials.

 

I added one router to the NetFlow analyzer manually with my SNMPv3 config and it works great. Now how can I iterate through a list of IPs of all 49 routers and script/automate adding them with the following settings (which will be the same for each router):

 

SNMP Version: SNMPv3

SNMPv3 Username: mysnmpv3user

SNMPv3 Authentication: SHA1, Password <my password>

SNMPv3 Privacy / Encryption: AES256, Password <my password>

 

Collect Statistics Every: 7 minutes

Poll for Topology Data Every: 5 minutes

 

Does Solar Winds have a script-able API I can access to accomplish this?

Checkpoint Netflow only reporting external interface

December 1, 2015, 9:01 am
$
0
0

I have my Gaia based checkpoint firewall sending netflow data to NTA just fine - but it seems it's only sending my Hide NAT address and no internal IP data. Is that something I misconfigured, can fix, can otherwise address? I would like to see network top talkers, etc but can only get to my public IP level which isn't all that helpful. Thanks!!

Viewing all 1535 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>