Unleash Networks Forum :: Topic: IPFIX configuration? (1/1)

Welcome, Guest

TOPIC: IPFIX configuration?

IPFIX configuration? 10 years 1 month ago #3858

diq	Is this still the correct support document to follow in order to setup IPFIX probes? trisul.org/docs/howto/netflow_setup.html I followed that, but I'm not getting any data collected. I've verified that flows are making it to the host using tcpdump.
	The administrator has disabled public write access.

IPFIX configuration? 10 years 1 month ago #3859

vivek [unleash] OFFLINE Karma: 3	Hello, Yes that is the correct document. Is there anything in the log files ? They are located in /usr/local/var/log/trisul/ns-001.log How long did you wait ? It could take upto a minute after the IPFIX template records show up. If you dont mind can you tell me the name of the equipment, we can tell you if there are any known gotchas. Thanks,
	Vivek R Unleash Networks Support : www.unleashnetworks.com/forums The administrator has disabled public write access.

IPFIX configuration? 10 years 1 month ago #3860

diq

This is in the logs:

Wed Mar 12 18:16:21 2014.835002 DEBUG GenProtUnits : Handler Cant Generate Parse, datagram constructed
Wed Mar 12 18:16:21 2014.835054 DEBUG GenProtUnits : Handler Cant Generate Parse, datagram constructed
Wed Mar 12 18:16:21 2014.859987 DEBUG GenProtUnits : Handler Cant Generate Parse, datagram constructed

The flows are coming from Juniper MX routers using the v4 template. The flow data is fine; it's parsed by other tools.

The administrator has disabled public write access.

IPFIX configuration? 10 years 1 month ago #3861

diq	Any ideas what could be causing this?
	The administrator has disabled public write access.

IPFIX configuration? 10 years 1 month ago #3862

vivek [unleash] OFFLINE Karma: 3	Hello, It appears there is a problem with IPFIX support. Trisul isnt able to correlate the template. It is probably tripping up on some field. Can you send us a pcap with atleast one v4 template packet and a handful of data packets by email to info at unleashnetworks dot com. We will turn around within 24 hours. Regards,
	Vivek R Unleash Networks Support : www.unleashnetworks.com/forums The administrator has disabled public write access.

IPFIX configuration? 10 years 1 month ago #3863

vivek [unleash]
OFFLINE
Karma: 3

Hi,

Please download the new build 4.0.1783 that fixes the IPFIX support.

The steps are

1. Uninstall the old version
2. Download and install the new Trisul package

3. Edit the following file and remove the Palo Alto static templates

Open

/usr/local/etc/trisul/PI-7CA09636-02D4-45E7-AA00-BE0D49B94E26.xml

Remove the following lines that look like this

<StaticTemplates>

                <Template id="256" name="Palo Alto IPv4 Standard">
                        <Fields>1,2,4,5,6,7,8,10,11,12,14,21,22,32,61,148,233</Fields>
                </Template>
..

</StaticTemplates>

So the empty section must look like this

<StaticTemplates>
</StaticTemplates>

4. Make sure your port 9993 is set for Netflow via Customize > Access Points > UDP. Check the trisul.org/docs/howto/netflow_setup.html for more

5. Send the IPFIX packets. Everything should show up as expected.

Further things to go :

1. Set the Home Network Subnets via Customize > HOme Networks

What caused the bug

We had done some special processing for Palo Alto Networks equipment IPFIX in situations where the template packets never came. This was leftover in the build you tried, causing even the Juniper IPFIX to trip up.

Let me know if everything is ok.

Regards,

Vivek R
Unleash Networks
Support : www.unleashnetworks.com/forums

The administrator has disabled public write access.

The following user(s) said Thank You: richard.hesse@weebly.com

Forum

Unleash Networks Forums

Trisul Network Metering and Forensics

IPFIX configuration?