Re: [Nfdump-discuss] Cisco CGN NEL problem, missing data
netflow collecting and processing tools
Brought to you by:
phaag
Menu
▾
▴
Re: [Nfdump-discuss] Cisco CGN NEL problem, missing data
|
From: Peter H. <ph...@us...> - 2014-09-24 09:58:15
|
Hi Aleksandar, What nfdump version are you using? Could you probably send me - off list of course - a pcap dump of the collector for a couple of minutes. Thanks - Peter On 10/09/14 16:14, Aleksandar Ciric wrote: > Hello everyone, > > I am having a bit of a problem with collecting flow from Cisco CGSE module in CRS-3. It's just a test but I would be very grateful for any help provided, be it from developers or guys and gals who use nfdump with Cisco CGN stuff. I have nfdump > compiled with following options: > ./configure --enable-nfprofile --enable-nftrack --enable-sflow --enable-nel --enable-nsel > > I run CGSE NAT44 setup with "bulk-port-alloc size 256", which seems to be the most sensible option in order to limit size of netflow log. I enclosed config for reference, the most basic setting possible. > > service cgn test > service-location preferred-active 0/3/CPU0 > service-type nat44 nat1 > portlimit 1024 > inside-vrf sbb-cgse-test > map address-pool x.x.x.x/x > external-logging netflow version 9 > server > address y.y.y.y port 10000 > bulk-port-alloc 256 > > When I run collector with output to stdout, I receive fairly useful data, where I can identify what the NAT creation and deletion is by looking at "pblock start/end". However when the data gets written to a file, I seem to lose pblock data which > makes it unusable to me. > > Apparently part of the problem with missing data is the fact that CGSE does not send data that defines the NAT event (check templete format below for CGSE), however its strange that -E output does not get written to files identically as it is. > NetFlow Record Format: > http://www.cisco.com/c/en/us/td/docs/routers/crs/software/crs_r4-3/cg_nat/configuration/guide/cgnat_cg43crs/cgnat51log.html#wp1085003 > > For example I see no date/time for the flow records, beside received at (so so ok), and nat event also comes blank (apparently not defined in template, see link above). > > nfcapd -E -T all -w -B 200000 -l /root/netflow-test/ -p 10000 > Flow Record: > Flags = 0x06 FLOW, Unsampled > export sysid = 1 > size = 100 > first = 0 [1970-01-01 01:00:00] > last = 0 [1970-01-01 01:00:00] > msec_first = 0 > msec_last = 0 > src addr = 10.0.0.11 > dst addr = 0.0.0.0 > src port = 0 > dst port = 0 > fwd status = 0 > tcp flags = 0x00 ...... > proto = 0 0 > (src)tos = 0 > (in)packets = 0 > (in)bytes = 0 > ip router = z.z.z.z > engine type = 209 > engine ID = 51 > received at = 1410355577961 [2014-09-10 15:26:17.961] > src xlt ip = a.a.a.a > dst xlt ip = 0.0.0.0 > nat event = 0: INVALID > ingress VRF = 1610612738 > egress VRF = 1610612736 > pblock start = 13824 > pblock end = 14079 > pblock step = 0 > pblock size = 0 > > Flow Record: > Flags = 0x06 FLOW, Unsampled > export sysid = 1 > size = 92 > first = 0 [1970-01-01 01:00:00] > last = 0 [1970-01-01 01:00:00] > msec_first = 0 > msec_last = 0 > src addr = 10.0.0.11 > dst addr = 0.0.0.0 > src port = 0 > dst port = 0 > fwd status = 0 > tcp flags = 0x00 ...... > proto = 0 0 > (src)tos = 0 > (in)packets = 0 > (in)bytes = 0 > ip router = z.z.z.z > engine type = 209 > engine ID = 51 > received at = 1410355781961 [2014-09-10 15:29:41.961] > nat event = 0: INVALID > ingress VRF = 1610612738 > egress VRF = 0 > pblock start = 13824 > pblock end = 0 > pblock step = 0 > pblock size = 0 > > ------------------- > > When written to file it looks like this: > > Flow Record: > Flags = 0x06 FLOW, Unsampled > export sysid = 1 > size = 100 > first = 0 [1970-01-01 01:00:00] > last = 0 [1970-01-01 01:00:00] > msec_first = 0 > msec_last = 0 > src addr = 10.0.0.11 > dst addr = 0.0.0.0 > src port = 0 > dst port = 0 > fwd status = 0 > tcp flags = 0x00 ...... > proto = 0 0 > (src)tos = 0 > (in)packets = 0 > (in)bytes = 0 > ip router = z.z.z.z > engine type = 209 > engine ID = 51 > received at = 1410355577961 [2014-09-10 15:26:17.961] > src xlt ip = a.a.a.a > dst xlt ip = 0.0.0.0 > nat event = 0: INVALID > ingress VRF = 1610612738 > egress VRF = 1610612736 > pblock start = 13824 > pblock end = 14079 > pblock step = 0 > pblock size = 0 > > Flow Record: > Flags = 0x06 FLOW, Unsampled > export sysid = 1 > size = 92 > first = 0 [1970-01-01 01:00:00] > last = 0 [1970-01-01 01:00:00] > msec_first = 0 > msec_last = 0 > src addr = 10.0.0.11 > dst addr = 0.0.0.0 > src port = 0 > dst port = 0 > fwd status = 0 > tcp flags = 0x00 ...... > proto = 0 0 > (src)tos = 0 > (in)packets = 0 > (in)bytes = 0 > ip router = z.z.z.z > engine type = 209 > engine ID = 51 > received at = 1410355781961 [2014-09-10 15:29:41.961] > nat event = 0: INVALID > ingress VRF = 1610612738 > egress VRF = 0 > > > ------------------------------------------------------------------------------ > Want excitement? > Manually upgrade your production database. > When you want reliability, choose Perforce > Perforce version control. Predictably reliable. > http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk > > > > _______________________________________________ > Nfdump-discuss mailing list > Nfd...@li... > https://lists.sourceforge.net/lists/listinfo/nfdump-discuss > |
