Flow Records Not Received

SYMPTOM

Flow exporters are configured to output IPFIX, sFlow, or Netflow, but one or more flow exporters’ data does not appear in the ElastiFlow dashboards.

PROBLEM

There can be several reasons for this:

The packets carrying the expected flow records may not be arriving at the system running the collector.
The packets carrying the expected flow records may be arriving on a UDP port on which the collector is not listening.
The Linux firewall may be blocking the packets from reaching the collector.

SOLUTION

Follow these steps to resolve the issue:

Verify Packets Are Arriving

Use tcpdump to verify that the packets carrying the expected flow records are arriving at the interface where the collector is listening. For example, if the collector is listening on UDP port 2055 (refer to EF_FLOW_SERVER_UDP_PORT) the following tcpdump command will show incoming packets to this port:

sudo tcpdump "udp port 2055"

If you are looking for packets from a specific exporter, you can also specify the exporter's IP address. For example, if packets are expected from 192.0.2.11 you would use the following command:

sudo tcpdump "src 192.0.2.11 and udp port 2055"

:::note You may need to specify the interface on which tcpdump should observe incoming packet. You can do this by specifying the -i option. For example?:

sudo tcpdump -i eth0 "src 192.0.2.11 and udp port 2055"

:::

If you do not receive any packets, you will need to troubleshoot why they are not arriving. This could be because:

the device is not sending them
they are being sent to the wrong place
they are being blocked along the way, e.g. by a firewall

You will need to troubleshoot and fix this issue before proceeding.

Verify that the Collector is Receiving the Packets

Verify that the collector is receiving the packets from the operating system, by running the collector with debug logging (EF_LOGGER_LEVEL set to debug). You should see messages indicating when packets are received and from which IP addresses they were sent.

If you have verified that the packets are arriving at the system, but you do not see any such messages in the collector's logs, the packets are likely being blocked by the Linux firewall. You can temporarily disable the Linux firewall to confirm this. If after doing this the logs indicate that packets are received, you will need to reconfigure the Linux firewall to allow the traffic to reach the collector.

REFERENCE

Netflow/IPFIX/sFlow UDP Input
EF_LOGGER_LEVEL

PreviousConfigure the UDP Input NextNetflow v9/IPFIX Template Not Receieved