[Nfdump-discuss] Fwd: nfdump with nel module and cisco asr1k CGNAT netflow logs with bulk bork allocation (BPA)

[Silvio A. <sil...@gm...>]

Hello,
we have a setup where a cisco ASR1K router is configured for CGNAT and
sending v9 NAT netflow packets to the nfdump/nfsen server

version of nfdump used is 1.6.10p1. nfdump was installed with the NEL
module. nfdump was installed using "./configure --enable-nel
--enable-nfprofile --with-rrdpath=/usr/bin"

the issue is that when I enable the command for bulk port allocation [bpa]
on the cisco router, the nfdump logs fail to show the ports used
the command I am using is "ip nat settings pap bpa set-size 1024"
BPA is a new feature available on cisco IOS-XE 3.10 for the ASR1K whereby a
bulk of ports are allocated for each user [in this case 1024]. This feature
is also important since it reduces the netflow logs greatly

this is the output from nfdump where the ports are all showing :0
[root@rsys1 30]# nfdump -onel -r
/var/log/nfsen/profiles-data/live/peer1/2013/08/30/nfcapd.201308301130
Date first seen          Event Proto      Src IP Addr:Port          Dst IP
Addr:Port   Src NAT IP Addr:Port      Dst NAT IP Addr:Port
2013-08-30 11:30:03.388    ADD TCP     192.168.251.10:0     ->
0.0.0.0:0         194.XXX.93.1:0     ->          0.0.0.0:0
2013-08-30 11:30:03.637    ADD UDP     192.168.251.10:0     ->
0.0.0.0:0         194.XXX.93.1:0     ->          0.0.0.0:0
2013-08-30 11:30:03.388    ADD TCP     192.168.251.10:0     ->
0.0.0.0:0         194.XXX.93.1:0     ->          0.0.0.0:0
2013-08-30 11:30:03.637    ADD UDP     192.168.251.10:0     ->
0.0.0.0:0         194.XXX.93.1:0     ->          0.0.0.0:0

now when I remove the BPA command from the cisco router the output seems
fine as shown below :

[root@rsys1 27]# nfdump -r
/var/log/nfsen/profiles-data/live/peer1/2013/08/27/nfcapd.201308271135

Date first seen          Event Proto      Src IP Addr:Port          Dst IP
Addr:Port   Src NAT IP Addr:Port      Dst NAT IP Addr:Port

2013-08-27 11:36:20.149 DELETE UDP      192.168.251.8:61133 ->
0.0.0.0:0         194.XXX.93.1:1031  ->          0.0.0.0:0

2013-08-27 11:36:20.158 DELETE UDP      192.168.251.8:61782 ->
0.0.0.0:0         194.XXX.93.1:1030  ->          0.0.0.0:0

2013-08-27 11:36:20.163 DELETE UDP      192.168.251.8:64497 ->
0.0.0.0:0         194.XXX.93.1:1036  ->          0.0.0.0:0

2013-08-27 11:36:20.172 DELETE UDP      192.168.251.8:51700 ->
0.0.0.0:0         194.XXX.93.1:1028  ->          0.0.0.0:0

2013-08-27 11:36:20.176 DELETE UDP      192.168.251.8:55015 ->
0.0.0.0:0         194.XXX.93.1:1034  ->          0.0.0.0:0

2013-08-27 11:36:20.180 DELETE UDP      192.168.251.8:51694 ->
0.0.0.0:0         194.XXX.93.1:1027  ->          0.0.0.0:0

2013-08-27 11:36:20.201 DELETE UDP      192.168.251.8:59962 ->
0.0.0.0:0         194.XXX.93.1:1035  ->          0.0.0.0:0

2013-08-27 11:36:20.213 DELETE UDP     192.168.247.26:5154  ->
0.0.0.0:0         194.XXX.93.1:1037  ->          0.0.0.0:0

2013-08-27 11:36:20.234 DELETE UDP      192.168.251.8:51854 ->
0.0.0.0:0         194.XXX.93.1:1025  ->          0.0.0.0:0

2013-08-27 11:36:20.259 DELETE TCP      192.168.251.8:4318  ->
0.0.0.0:0         194.XXX.93.1:1100  ->          0.0.0.0:0

2013-08-27 11:36:20.261 DELETE UDP      192.168.251.8:56449 ->
0.0.0.0:0         194.XXX.93.1:1032  ->          0.0.0.0:0

2013-08-27 11:36:20.318 DELETE UDP      192.168.251.8:53780 ->
0.0.0.0:0         194.XXX.93.1:1026  ->          0.0.0.0:0

2013-08-27 11:36:20.324 DELETE UDP      192.168.251.8:54785 ->
0.0.0.0:0         194.XXX.93.1:1033  ->          0.0.0.0:0

2013-08-27 11:36:20.149 DELETE UDP      192.168.251.8:61133 ->
0.0.0.0:0         194.XXX.93.1:1031  ->          0.0.0.0:0

2013-08-27 11:36:20.158 DELETE UDP      192.168.251.8:61782 ->
0.0.0.0:0         194.XXX.93.1:1030  ->          0.0.0.0:0

2013-08-27 11:36:20.163 DELETE UDP      192.168.251.8:64497 ->
0.0.0.0:0         194.XXX.93.1:1029  ->          0.0.0.0:0

2013-08-27 11:36:20.164 DELETE UDP      192.168.251.8:63990 ->
0.0.0.0:0         194.XXX.93.1:1036  ->          0.0.0.0:0

2013-08-27 11:36:20.172 DELETE UDP      192.168.251.8:51700 ->
0.0.0.0:0         194.XXX.93.1:1028  ->          0.0.0.0:0

2013-08-27 11:36:20.176 DELETE UDP      192.168.251.8:55015 ->
0.0.0.0:0         194.XXX.93.1:1034  ->          0.0.0.0:0

2013-08-27 11:36:20.180 DELETE UDP      192.168.251.8:51694 ->
0.0.0.0:0         194.XXX.93.1:1027  ->          0.0.0.0:0

2013-08-27 11:36:20.201 DELETE UDP      192.168.251.8:59962 ->
0.0.0.0:0         194.XXX.93.1:1035  ->          0.0.0.0:0

2013-08-27 11:36:20.213 DELETE UDP     192.168.247.26:5154  ->
0.0.0.0:0         194.XXX.93.1:1037  ->          0.0.0.0:0

2013-08-27 11:36:20.234 DELETE UDP      192.168.251.8:51854 ->
0.0.0.0:0         194.XXX.93.1:1025  ->          0.0.0.0:0

2013-08-27 11:36:20.259 DELETE TCP      192.168.251.8:4318  ->
0.0.0.0:0         194.XXX.93.1:1100  ->          0.0.0.0:0

2013-08-27 11:36:20.261 DELETE UDP      192.168.251.8:56449 ->
0.0.0.0:0         194.XXX.93.1:1032  ->          0.0.0.0:0

2013-08-27 11:36:20.318 DELETE UDP      192.168.251.8:53780 ->
0.0.0.0:0         194.XXX.93.1:1026  ->          0.0.0.0:0

2013-08-27 11:36:20.324 DELETE UDP      192.168.251.8:54785 ->
0.0.0.0:0         194.XXX.93.1:1033  ->          0.0.0.0:0

2013-08-27 11:36:20.358 DELETE UDP      192.168.251.8:49280 ->
0.0.0.0:0         194.XXX.93.1:1024  ->          0.0.0.0:0

2013-08-27 11:36:20.358 DELETE UDP      192.168.251.8:49280 ->
0.0.0.0:0         194.XXX.93.1:1024  ->          0.0.0.0:0



can you help out?

Thanks

Silvio