Flow-accounting Netflow - Incorrect SRC and DST IPs

Hi All,

We have set up NetFlow on one of our production routers (running 1.3-rolling-202201111028) but we are receiving seemingly random SRC and DST IPs in the flows (i.e. neither belong to our network).

We have done a tcpdump on the relevant interfaces and cannot find any evidence of the flows for these IP addresses.

Below is an example of the “sh flow-accounting” results that we get which is replicated in the data we see coming to the NetFlow server.

sh flow-accounting
IN_IFACE SRC_MAC DST_MAC SRC_IP DST_IP SRC_PORT DST_PORT PROTOCOL TOS PACKETS FLOWS BYTES


eth1.120 ac:78:d1:32:28:30 96:de:98:10:de:0f 221.6.193.216 52.218.225.144 0 0 101 0 2 1 2944
eth1.890 d4:af:f7:74:2a:79 96:de:98:10:de:0f 63.17.75.147 163.116.203.35 0 0 33 0 1 1 1274
eth1.890 d4:af:f7:74:2a:79 96:de:98:10:de:0f 63.17.91.27 163.116.203.35 0 0 0 1 1 1274
eth1.120 ac:78:d1:32:28:30 96:de:98:10:de:0f 33.6.129.73 167.94.146.25 0 0 73 0 1 1 44
eth1.120 ac:78:d1:32:28:30 96:de:98:10:de:0f 235.6.212.152 18.209.220.3 0 0 ^N B^N^XB^N^PB^N^HA 0 1 1 362
eth1.120 ac:78:d1:32:28:30 96:de:98:10:de:0f 52.6.194.223 203.13.127.16 0 0 114 0 1 1 2824
eth1.120 ac:78:d1:32:28:30 96:de:98:10:de:0f 57.47.83.35 165.225.226.12 0 0 ^ED^N0^BP^N(A^N A^N^XB^N^PB^N^H4 0 1 1 64
eth1.120 ac:78:d1:32:28:30 96:de:98:10:de:0f 227.6.63.17 35.80.173.253 0 0 0 1 1 40
eth1.890 d4:af:f7:74:2a:79 96:de:98:10:de:0f 63.17.91.240 163.116.203.35 0 0 0 1 1 1274
eth1.120 ac:78:d1:32:28:30 96:de:98:10:de:0f 57.6.206.75 43.225.35.83 0 0 85 0 1 1 14640
eth1.120 ac:78:d1:32:28:30 96:de:98:10:de:0f 53.6.65.65 93.184.216.34 0 0 26 0 1 1 52
eth1.120 ac:78:d1:32:28:30 96:de:98:10:de:0f 57.6.181.169 43.225.35.83 0 0 109 0 1 1 8740
eth1.120 ac:78:d1:32:28:30 96:de:98:10:de:0f 51.6.169.227 66.42.48.101 0 0 0 1 1 110

Below is the configuration that we are using.

set system flow-accounting disable-imt
set system flow-accounting interface ‘eth1.120’
set system flow-accounting interface ‘eth1.890’
set system flow-accounting netflow sampling-rate ‘100’
set system flow-accounting netflow server 10.88.11.50 port ‘2055’
set system flow-accounting netflow server 10.89.11.61 port ‘2055’
set system flow-accounting netflow source-ip ‘10.88.11.22’
set system flow-accounting netflow version ‘9’