Problem with Netflow Cisco ASR 1001-x


(Cleyton) #1

Good morning gentlemen,
I have a Cisco ASR 1001-x and am having problems with Netflow in any version. Cisco is spitting netflow correctly but Graylog’s Input Netflow for some reason is not able to “read” the information.

I have another Cisco 3945 and with it I can have the Netflow information without any problem. Does anyone know what might be happening?


(Jochen) #2

Hard to say without any details.

Are there any error messages in the logs of your Graylog node(s)?
:arrow_right: http://docs.graylog.org/en/2.4/pages/configuration/file_location.html

Which exact version of NetFlow is the Cisco appliance using?


(Cleyton) #3

I already checked it out and there is nothing about that in the logs.

I’m using netflowv5 at this point, but I have already tried with v9 as well.

The model of my router is Cisco ASR 1001-x


(Jochen) #4

Are you sure that the NetFlow packets from your Cisco router are reaching Graylog?
You can check that with Wireshark or tcpdump.


(Cleyton) #5

Good Morning. Yes they are coming to my graylog. I veiched with tcpdump.
I have another Cisco router (3945) trusted with netflowv9 and I perfectly hear the packets on port 2055 of Graylog.
It seems to me something specific to Graylog’s input to the netflow of this Cisco ASR1001-x router model.
Has anyone ever questioned you regarding the netflow reception of this Cisco model ??

09:24:27.979091 IP 187.32.123.201.54843 > 10.10.10.34.2055: UDP, length 984
09:24:28.978853 IP 187.32.123.201.54843 > 10.10.10.34.2055: UDP, length 984
09:24:29.979361 IP 187.32.123.201.54843 > 10.10.10.34.2055: UDP, length 1368
09:24:30.979763 IP 187.32.123.201.54843 > 10.10.10.34.2055: UDP, length 1032
09:24:31.980308 IP 187.32.123.201.54843 > 10.10.10.34.2055: UDP, length 1320
09:24:32.980778 IP 187.32.123.201.54843 > 10.10.10.34.2055: UDP, length 1080
09:24:33.981258 IP 187.32.123.201.54843 > 10.10.10.34.2055: UDP, length 840
09:24:34.981547 IP 187.32.123.201.54843 > 10.10.10.34.2055: UDP, length 1368
09:24:35.982040 IP 187.32.123.201.54843 > 10.10.10.34.2055: UDP, length 1272
09:24:36.982347 IP 187.32.123.201.54843 > 10.10.10.34.2055: UDP, length 936
09:24:37.982637 IP 187.32.123.201.54843 > 10.10.10.34.2055: UDP, length 984
09:24:38.983030 IP 187.32.123.201.54843 > 10.10.10.34.2055: UDP, length 1176
09:24:39.983626 IP 187.32.123.201.54843 > 10.10.10.34.2055: UDP, length 1368
09:24:39.983665 IP 187.32.123.201.54843 > 10.10.10.34.2055: UDP, length 408
09:24:40.983910 IP 187.32.123.201.54843 > 10.10.10.34.2055: UDP, length 1080
09:24:41.984486 IP 187.32.123.201.54843 > 10.10.10.34.2055: UDP, length 1320
09:24:42.984964 IP 187.32.123.201.54843 > 10.10.10.34.2055: UDP, length 1368
09:24:43.985440 IP 187.32.123.201.54843 > 10.10.10.34.2055: UDP, length 1176
09:24:44.985952 IP 187.32.123.201.54843 > 10.10.10.34.2055: UDP, length 1176
09:24:45.986619 IP 187.32.123.201.54843 > 10.10.10.34.2055: UDP, length 1368
09:24:45.986644 IP 187.32.123.201.54843 > 10.10.10.34.2055: UDP, length 264
09:24:46.987045 IP 187.32.123.201.54843 > 10.10.10.34.2055: UDP, length 1128
09:24:47.987450 IP 187.32.123.201.54843 > 10.10.10.34.2055: UDP, length 1032
09:24:48.988036 IP 187.32.123.201.54843 > 10.10.10.34.2055: UDP, length 1320
09:24:49.988518 IP 187.32.123.201.54843 > 10.10.10.34.2055: UDP, length 1224
09:24:50.988887 IP 187.32.123.201.54843 > 10.10.10.34.2055: UDP, length 1032
09:24:51.989151 IP 187.32.123.201.54843 > 10.10.10.34.2055: UDP, length 1032
09:24:52.989693 IP 187.32.123.201.54843 > 10.10.10.34.2055: UDP, length 1080
09:24:53.990246 IP 187.32.123.201.54843 > 10.10.10.34.2055: UDP, length 1368
09:24:53.990269 IP 187.32.123.201.54843 > 10.10.10.34.2055: UDP, length 72
09:24:54.990709 IP 187.32.123.201.54843 > 10.10.10.34.2055: UDP, length 1272
09:24:55.991237 IP 187.32.123.201.54843 > 10.10.10.34.2055: UDP, length 1224
09:24:56.991688 IP 187.32.123.201.54843 > 10.10.10.34.2055: UDP, length 1128
09:24:57.992092 IP 187.32.123.201.54843 > 10.10.10.34.2055: UDP, length 1176


(Jochen) #6

Feel free to look into the issues on GitHub at https://github.com/Graylog2/graylog-plugin-netflow/issues?q=is:issue

If you decide to file a bug report, make sure to include a reasonably large recording (as pcap file) of the actual Netflow packets.


(Cleyton) #7

These are my settings for netflow on the Cisco ASR 1001-x router, if someone who uses netflow on this type of router can help me see if everything is ok. By tcpdump I can see the traffic being exported but in Graylog nothing is read in the Input NETFLOW UDP port 2055. If anyone has this router running netflow with Graylog, please report here. Thank you.

flow record RECORDER-1:
Description: User defined
No. of users: 1
Total field space: 4 bytes
Fields:
match ipv4 destination address

RTAUS01#sh flow exporter
Flow Exporter EXPORTER-1:
Description: User defined
Export protocol: NetFlow Version 9
Transport Configuration:
Destination IP address: xx.xx.xx.xx
Source IP address: xxx.xxx.xxx.xxx
Transport Protocol: UDP
Destination Port: 2055
Source Port: 49612
DSCP: 0x1
TTL: 15
Output Features: Used
Export template data timeout: 120

RTAUS01#sh flow monitor
Flow Monitor MONITOR-1:
Description: User defined
Flow Record: RECORDER-1
Flow Exporter: EXPORTER-1
Cache:
Type: normal (Platform cache)
Status: allocated
Size: 200000 entries
Inactive Timeout: 15 secs
Active Timeout: 1800 secs
Trans end aging: off

RTAUS01#sh flow record RECORDER-1
flow record RECORDER-1:
Description: User defined
No. of users: 1
Total field space: 4 bytes
Fields:
match ipv4 destination address


(thomas wing) #8

im in the process of deploying this at the moment with our ASR1001-X’s, which IOS version are you on?
i may be able to help out :slight_smile:


(Cleyton) #9

Hello Friend,
Sorry for the delay in responding. It follows the information of my current IOS. If you can help me I appreciate it !!

Cisco IOS XE Software, Version 16.07.01
Cisco IOS Software [Fuji], ASR1000 Software (X86_64_LINUX_IOSD-UNIVERSALK9_NPE-M), Version 16.7.1, RELEASE SOFTWARE (fc6)


(system) #10

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.