NetFlow Collector Installation and Configuration Guide
Troubleshooting the Cisco NetFlow Collector
Download this chapter
Troubleshooting the Cisco NetFlow CollectorTroubleshooting the Cisco NetFlow Collector
give_us_feedback

Table Of Contents

Troubleshooting the Cisco NetFlow Collector

Using the nfcollector list Command

Using the show-tech Command to Capture Troubleshooting Information

NetFlow Collector Tools and Utilities

fdcount Utility

ndeget Utility

get_bgp_rib Utility

fdget Utility

fdplayback Utility

Solving NetFlow Collector Problems


Troubleshooting the Cisco NetFlow Collector

This appendix provides helpful information and procedures in case you encounter problems while using the Cisco NetFlow Collector (NFC).

This appendix includes the following:

"Using the nfcollector list Command" section

"Using the show-tech Command to Capture Troubleshooting Information" section

"NetFlow Collector Tools and Utilities" section

"Solving NetFlow Collector Problems" section

Using the nfcollector list Command

The nfcollector list command provides an easy way to determine which NFC processes are running (or not running). To invoke the nfcollector list command, enter the following command line at the UNIX prompt:

$NFC_DIR/bin/nfcollector list

When invoked, the nfcollector list command displays status information about the Cisco NetFlow Collector, as in the following example: 

rmiregistry: Running (pid: 13415)

nfcxml: Running (pid: 13403)

snmpd: Running (pid: 13425)

collection: Running (pid: 13405)

rd: Running (pid: 13404)

re: Not Running; autostart not configured

web: Running (pid: 7590)

Note If the nfcollector list command lists that a process is not running but autostart is configured for that process, there may be a problem with the NetFlow Collector. See the "Starting the Cisco NetFlow Collector User Interface" section on page 2-1 for information on how to start NetFlow Collector processes. Keep in mind that the re process for running scheduled reports is not autostarted by the process watcher unless you update the default process watcher configuration in /opt/CSCOnfc/config/nfcpw.xml.

Using the show-tech Command to Capture Troubleshooting Information

The show-tech command provides an easy way to generate all the debugging information necessary for support and troubleshooting purposes. To invoke the show-tech command, enter the following command line at the UNIX prompt:

$NFC_DIR/bin/nfcollector show-tech

Note To capture running configuration information, you should invoke the show-tech command while NetFlow Collector is running.

When invoked, the show-tech command creates a log file named show-tech.log in the $NFC_DIR/logs directory.

NetFlow Collector Tools and Utilities

The utilities described in this section are typically used to troubleshoot NetFlow Collector operation by providing a way to capture and play back received NetFlow data. The process emulates a Cisco export device generating NetFlow data through the NetFlow data export feature. The utilities are available in the $NFC_DIR/tools directory and include the following:

fdcount Utility

ndeget Utility

get_bgp_rib Utility

fdget Utility

fdplayback Utility

fdcount Utility

The fdcount utility listens to a user-specified UDP port, samples a user-specified number of incoming datagrams, and calculates the average incoming rate. Enter: 

$NFC_DIR/tools/fdcount [-p UDP-port] [-c count] [-s socket-buffer]

where:

-p UDP-port

UDP port number on which flows are to be received. The default is 9991.

-c count

Number of flows to sample before calculating the incoming rate. The default is 100.

-s socket-buffer

Receive socket buffer size, in bytes. The default is 90000 bytes.


ndeget Utility

The ndeget utility listens to a user-specified UDP port to receive flow data and prints the contents of the received flow packets to the standard output. This is intended to replace the fdget utility, which is still included for backwards compatibility. Unlike fdget, ndeget can display the contents of NetFlow version 9 packets. Enter: 

$NFC_DIR/tools/ndeget.sh -port port [-hex] [-maxpacketlen length]

where:

-port port

UDP port number on which flows are to be received.

-hex

Optionally display a hex dump of the contents of packets.

-maxpacketlen len

Optionally change the size of the packet buffer.


get_bgp_rib Utility

The get_bgp_rib utility displays the contents of the NetFlow Collector BGP Peer's routing information base. Enter: 

$NFC_DIR/tools/get_bgp_rib.sh [-p port ] [ -x ]

where:

-p port

Optionally change the port used for contacting the BGP peer.

-x

Optionally display the result as XML.


fdget Utility

The fdget utility is made obsolete by the ndeget utility.

The fdget utility listens to a user-specified UDP port to receive flow data and prints some of the fields from the received flow packets to the standard output. One use of this capability is to print flow data sent by the fdplayback utility. Enter: 

$NFC_DIR/tools/fdget [-p UDP-port] [-s socket-buffer] [-a]

where:

-p UDP-port

UDP port number on which flows are to be received. The default is 9991.

-s socket-buffer

Receive socket buffer size, in bytes. The default is 90000 bytes. This argument and value determine how many datagrams the kernel stores in this buffer as datagrams come in from the network. The larger the buffer, the more time fdget has to consume data from the buffer before the buffer overflows. If the buffer overflows, datagrams are lost.

-a

Print an acknowledgment only. The default is to print the content of flows. Using -a means print only an acknowledgment for each datagram received rather than the content of the datagram.


fdplayback Utility

The fdplayback utility reads a data file of NetFlow data created by NetFlow Collector or some other tool and sends the flow data to a user-specified destination. Enter: 

$NFC_DIR/tools/fdplayback [-f datafile] [-d IP-address] [-p UDP-port] [-i delay] 

[-b burst] [-s socket-buffer] [-t flows]

where:

-

-f datafile

Name of data file to play back to the user-specified destination (defined by IP address and UDP port number).

-d IP-address

Destination IP address.

-p UDP-port

Destination UDP port number. The default is 9991.

-i delay

Delay (in milliseconds) between datagrams. The default is 1000. The longer the delay, the more separation there is between datagrams being sent to the receiving destination.

-b burst

Number of flows sent in each burst. The default is 10. This argument is used in conjunction with -i to control the speed and "burstiness" of the playback.

-s socket-buffer

Receive socket buffer size, in bytes. The default is 90000 bytes.

-t flows

Number of flows to play back in this session. The default is all flows in the data file. If the data file contains 1000 datagrams and you set -t to 1, fdplayback only sends one datagram.


Solving NetFlow Collector Problems

This section discusses some basic problems that you might encounter while attempting to run NetFlow Collector.

Symptom Licensing errors in the /opt/CSCOnfc/logs/nfc.log file.

Possible Cause Either the license file is missing or invalid; or the system hostname and address information is not configured properly on the host. This is particularly an issue with Red Hat Linux where the default /etc/hosts file must be updated for licensing to work.

Recommended Action

1. Look in the nfc.log file and determine the specific error. The error information returned by the FlexLM library may be useful.

2. Verify that the contents of the /opt/CSCOnfc/config/nfc.lic file was copied verbatim from the license key sent in email. The files must match exactly. Note that in some cases detaching the file from email can sometimes introduce Windows-style carriage return characters that the FlexLM library does not handle properly.

3. Do the following:

a. Verify that the IP address matches the HOSTID=INTERNET=ipaddress line in the /opt/CSCOnfc/config/nfc.lic file. If not, the license file is not valid for this host.

b. Verify that the hostname is set, using the hostname command, and is set to a value other than localhost, localhost.localdomain, etc.

c. Verify that /etc/hosts contains an entry for this hostname, and that the IP address in the entry matches the IP address in the nfc.lic file. Verify that the loopback address 127.0.0.1 in /etc/hosts does not contain localhost, localhost.localdomain, etc. as the hostname. These are defaults for Red Hat Enterprise Linux and must be changed. You must remove the hostname mapping to the loopback address and add an entry for the licensed IP address. On Solaris systems, in /etc/nsswitch.conf, the hosts entry is normally set to files dns so that /etc/hosts is searched for the IP address.

Symptom Unable to login to the NetFlow Collector UI with a general error message on the login screen about checking for errors in collector log files.

Possible Cause The collection process is not running. The collection process must be running before you are allowed to login.

Recommended Action Check the /opt/CSCOnfc/logs/nfc.log file for specific error information. The most common causes of this are:

Licensing problem. See the above section Symptom Licensing errors in the /opt/CSCOnfc/logs/nfc.log file.

XML configuration problem. Identify the log message corresponding to the invalid XML and fix it.

Symptom During installation on a Solaris system, an error is encountered and NetFlow Collector does not finish installing.

Possible Cause The system is running Solaris 7 or lower.

Recommended Action Use a system running Solaris 8, 9, or 10. Solaris 7 or lower is not supported.

Symptom During installation on a Linux system, an error is encountered and NetFlow Collector does not finish installing.

Possible Cause The system is not running Red Hat Enterprise 2.1, 3, or 4 Linux.

Recommended Action Use a system running Red Hat Enterprise 2.1, 3, or 4 Linux.