Announcement

Collapse
No announcement yet.

Netflow across a WAN

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Netflow across a WAN

    Hi all, I'm having issues with netflow and can't find any solutions so I'm calling out for help. I have several Cisco 2811s in place at my home office and satellite offices. They will output the netflow information to a local server but I can't seem to receive the data on a centralized server. The 2811s say that the data is being sent but the server at my home office doesn't show any flow packets except from the local 2811. Are there any debugs I can turn on on the home 2811 to monitor flow packets from the satellite offices? Thanks for any help you can provide, PCTechG

  • #2
    Re: Netflow across a WAN

    How are the satellite offices connected to your home office? What port are you exporting Netflow to?

    It's likely that you'll need to set up port forwarding on your home firewall to allow incoming Netflow data from the satellite offices to reach your server. You'll also need to configure the satellite offices switches to export Netflow to the public ip address that's NAT'ed to your home server.

    Comment


    • #3
      Re: Netflow across a WAN

      Joe,
      The satellite offices are connected VIA IPSEC VPN tunnels.
      I am exporting the Netflow to port 9996, which is the default, I believe.
      I have connectivity from the inside interface of the satellite 2811s to the home netflow server so would I still need to export to the public IP address?

      G

      Comment


      • #4
        Re: Netflow across a WAN

        Thanks for clarifying. As it stands you probably don't need to do anything with NAT'ing or firewall rules if the offices are connected via VPN. Can you ping private ip address of the server from the switch and vice versa?

        One thing you can do is to put a packet sniffer on the server and see if it sees any incoming traffic from the satellite switches. If it doesn't then move the packet sniffer upstream and try again. To do this you can temporarily put a workstation and the internal interface of the firewall on a hub and sniff for the incoming Netflow traffic there. If you don't see it then try putting a sniffer on the sending side and see if it's getting to the sending firewall.

        Comment


        • #5
          Re: Netflow across a WAN

          Joe,
          Pinging works fine. It's just the netflow information that doesn't make it to the server. I've done wireshark and can't see the packets so I'm thinking that there's a config problem on the home 2811 that I can't find. The satellite 2811 says it's sending out the packets but I don't see how I could sniff that as it would be encrypted.

          Thanks,
          G

          Comment


          • #6
            Re: Netflow across a WAN

            A couple of things:

            Assuming that the firewalls are the endpoints for the VPN connections, the Netflow traffic is only encrypted while it's in transit between the two networks. It's not encrypted before it enters the sending firewall and it's decrypted as it exits the receiving firewall so if you sniff on either of those two sides (sending\before or receiving\after) you should see the traffic.

            I'm a little confused as to why you think there's a problem with the home office 2811. The Netflow from the satellite office shouldn't be configured to go to the home office 2811, it should be configured to go to the server where your Netflow monitor is installed. If your server is receiving Netflow from the home office 2811 then the home office 2811 is OK. Make sure that the satellite office 2811 is configured to export Netflow to the ip address of the server.

            Comment


            • #7
              Re: Netflow across a WAN

              Joe,
              I have wireshark running on the inside interface and will see if I see any packets going through. I think the problem is a configuration issue on the home 2811 and was wondering if there was a way I could monitor from the router itself for netflow packets.

              G

              Comment


              • #8
                Re: Netflow across a WAN

                I'm not sure, but I don't think so. The Netflow traffic from the satellite office going to the home office will be encapsulated in the VPN tunnel. The only thing I can think of is to put a packet sniffer between the home office 2811 internal interface and the home office server. By doing that, you'll see any Netflow traffic that's come across the VPN from the satellite office destined for the home server. If you don't see any Netflow traffic exiting the home office router's internal interface then it's going to get a lot tougher to track down the problem as you can't see the traffic that's encapsulated inside the VPN tunnel (as far as I know).

                You might try to do some Googling to see if Wireshark or another packet capture program (Microsoft Network monitor 3) can decrypt the traffic inside the VPN tunnel. If it can, you can put a packet sniffer connected to a hub on the outside interface of the 2811 at the home office and see if any Netflow traffic is coming across the WAN connection.

                The trick here is to start on one end (source or destination) and work your way to the other end until you find out where the Netflow traffic is.

                Also, double check the Netflow configuration on the satellite office 2811 to make sure it's correct. Use the configuration on the home office 2811 as a reference. Just make sure to adjust any ip related info to suit the satellite office 2811.

                Comment


                • #9
                  Re: Netflow across a WAN

                  Joe,
                  It's looking like I'm stuck. I don't see any way to look inside the VPN packets and the configurations on both 2811s is the same. The netflow packets are just not making it to the home network as far as I can tell.

                  Thanks,
                  G

                  Comment


                  • #10
                    Re: Netflow across a WAN

                    Look at answer number 4 on the following page, maybe it will help:

                    https://learningnetwork.cisco.com/thread/3843

                    And look here for clues:

                    http://thwack.com/forums/p/13287/54716.aspx

                    And here:

                    http://www.cisco.com/en/US/prod/coll...d804be1cc.html

                    Comment


                    • #11
                      Re: Netflow across a WAN

                      Joe,
                      Thanks for the links. Not sure why I couldn't find them earlier. That was exactly what the problem was. I've changed my satellite 2811s to flexible netflow and everything is working.

                      Thanks for all your help,
                      G

                      Comment


                      • #12
                        Re: Netflow across a WAN

                        Awesome. Glad to help and glad you got it working.

                        Comment

                        Working...
                        X