2811 & netflow9 + UNC traffic

[olaritter]

Hello All!

I hope someone can give a hint or point me to read somewhere to resolve this. I dont feel comfortable with this issue I have now lol, my tracking is incomplete Thanks. Here it is:

Hey there

Thanks for the useful log! I just found it, and going to read as much as possible and get from there to improve. Have question, or eventually to redirect me to a forum when I can read and discuss this. I have enabled Netflow v9 on my corporate 2811 and added NBAR support. All seems to work well. NBAR is active just on one interface, as for Netflow 9, it is active on 14 interfaces, and one is source, the local fast ethernet interface. Have this:
ip flow-export source FastEthernet0/0
ip flow-export version 9
ip flow-export template options export-stats
ip flow-export template options timeout-rate 120
ip flow-export template options refresh-rate 25
ip flow-export template refresh-rate 60
ip flow-export destination 10.0.0.222 2055
ip flow-export destination 10.0.0.222 3055

And for each tunnel I have ip route-cache flow in action.

Now I noticed yesterday an interesting thing. I do unc (\\) type of connection to a remote computer, via one of our IP VPN connections, effectively thru one of the tunnels. I transfered from that remote computer to mine, anywhere between 9MB-10MB. But these are not available in my graphs. I use ManageEngine Netflow analyzer 5 for collecting and presenting Netflow 9 and NBAR exports from my 2811 Cisco router. The application registered ONLY around 500K-600K as traffic between my computer and the remote one.
Right now checked if for any reason the session is active on the remote computer, and somehow the flow was not ended, but that doesnt seem to be the case.
Do you think you can advise and suggest where to look for this?

/Ola

 

[ADB100]

Has the traffic appeared on another interface - i.e. the physical interface and not the Tunnel? I have a router running NAT and the outbound traffic is recorded by NetFlow but the inbound appears on a Dynamic Virtual-Access interface. However if you look at the output from a 'show interface dialer x' it shows both inbound & outbound traffic. It seems the NetFlow stats are exported before the stats are generated for the interface show command.
I am just wondering whether there is a similar logic at work here with the Tunnel interfaces since they are software interfaces and traffic will be handled in software before being forwarded.
If this isn't the case then I would suggest a TAC case and get TAC to explain the logic.

HTH

Andy

 

[olaritter]

Thanks Andy for writing.
HTH?
TAC? - that is the support?

Well the coresponding dialer has no traffic.
As for the physical interface, on fastethernet 0/0 I have same statistics recorded as on the tunnel (for the corresponding remote location/router), just the oposite roles for destination and source. The problem might be: I have enabled fastethernet 0/0 and all tunnels, but none of the remote routers are activated for netflow on the router's themselves. So basically this may be a problem. Though, it works for other protocols. For example I can accurately see and collect STMP (traffic with an Exchange server).
what do you think?

 

[ADB100]

Sorry - HTH - Hope This Helps, TAC is Cisco's support (Technical Assistance Centre I think), however you need a support contract to raise a case.

Enabling NetFlow on the remote routers won't make any difference to the stats exported by the local router. If you want to monitor the remote routers as well then obviously you need to enable NetFlow on them......

You need to enable NetFlow on all interfaces the traffic will flow into and out of on the router otherwise the NetFlow statistics won't add up. I suggest you stick 'netflow & tunnel' into Cisco's search engine and see what comes up....

HTH

Andy