Netflow not working

dfrantzen · July 7, 2020, 8:20am

My router isnt collecting any data on any interfaces.

Here is my config:

flow-accounting {
interface eth5
netflow {
engine-id 100
server 10.0.4.60 {
port 9997
}
timeout {
expiry-interval 30
flow-generic 3600
icmp 300
max-active-life 604800
tcp-fin 300
tcp-generic 3600
tcp-rst 120
udp 300
}
version 9
}

tjh · July 7, 2020, 7:52pm

I found when I enabled Netflow I had to wait ~5 minutes before it started to send Netflow information.

I would also put in “disable-imt” which disables the In Memory Table plugin.

What does “show flow-accounting” report?

Finally - what version of Vyos?

dfrantzen · July 8, 2020, 7:14am

Hi i have added disable-im, now i get some error messages:
show flow-accounting interface eth5
Traceback (most recent call last):
File “/usr/libexec/vyos/op_mode/flow_accounting_op.py”, line 214, in
flows_list = _get_flows_list()
File “/usr/libexec/vyos/op_mode/flow_accounting_op.py”, line 98, in _get_flows_list
message=‘Failed to get flows list’)
File “/usr/lib/python3/dist-packages/vyos/util.py”, line 178, in cmd
raise OSError(code, feedback)
PermissionError: [Errno 1] Failed to get flows list
failed to run command: /usr/bin/pmacct -s -O json -T flows -p /tmp/uacctd.pipe
returned: INFO: Connection refused while trying to connect to ‘/tmp/uacctd.pipe’
exit code: 1

version is: VyOS 1.3-rolling-202006021649

Viacheslav · July 9, 2020, 8:37am

@dfrantzen Try the latest rolling.
I can’t reproduce it.

set system flow-accounting interface 'eth0'
set system flow-accounting netflow engine-id '100'
set system flow-accounting netflow server 192.168.122.12 port '9997'
set system flow-accounting netflow timeout expiry-interval '30'
set system flow-accounting netflow timeout flow-generic '3600'
set system flow-accounting netflow timeout icmp '300'
set system flow-accounting netflow timeout max-active-life '604800'
set system flow-accounting netflow timeout tcp-fin '300'
set system flow-accounting netflow timeout tcp-generic '3600'
set system flow-accounting netflow timeout tcp-rst '120'
set system flow-accounting netflow timeout udp '300'
set system flow-accounting netflow version '9'

Flows

vyos@r-roll:~$ show flow-accounting 
IN_IFACE    SRC_MAC            DST_MAC            SRC_IP           DST_IP            SRC_PORT    DST_PORT  PROTOCOL      TOS    PACKETS    FLOWS    BYTES
----------  -----------------  -----------------  ---------------  --------------  ----------  ----------  ----------  -----  ---------  -------  -------
eth0        52:54:00:f5:e8:14  52:54:00:cb:20:20  162.159.200.123  192.168.122.11         123         123  udp             0          5        5      380
eth0        52:54:00:f5:e8:14  52:54:00:cb:20:20  91.236.251.58    192.168.122.11         123         123  udp             0          5        5      380
eth0        52:54:00:f5:e8:14  52:54:00:cb:20:20  8.8.8.8          192.168.122.11           0           0  icmp            0        239        2    20076
eth0        52:54:00:f5:e8:14  52:54:00:cb:20:20  1.1.1.1          192.168.122.11           0           0  icmp            0        274        2    23016
eth0        52:54:00:db:2c:f2  52:54:00:cb:20:20  192.168.122.12   192.168.122.11           0           0  icmp          192          1        1      492
eth0        52:54:00:f5:e8:14  52:54:00:cb:20:20  1.1.1.1          192.168.122.11          53       40948  udp             0          2        1      172
eth0        52:54:00:f5:e8:14  52:54:00:cb:20:20  172.217.20.165   192.168.122.11          80       34266  tcp             0          4        1      770
eth0        52:54:00:f5:e8:14  52:54:00:cb:20:20  192.168.122.1    192.168.122.11       33288          22  tcp            16       1479        1    90324
eth0        52:54:00:f5:e8:14  52:54:00:cb:20:20  1.1.1.1          192.168.122.11          53       42668  udp             0          2        1      172

dfrantzen · July 9, 2020, 8:55am

Hi how do i upgrade/downgrade?

btw is it a problem that the ip is located on a subinterface on eth5?

Viacheslav · July 9, 2020, 9:44am

@dfrantzen

upgrade procedure ref Update VyOS — VyOS 1.4.x (sagitta) documentation

add system image https://downloads.vyos.io/rolling/current/amd64/vyos-rolling-latest.iso

And reboot the router.
Add subinterfaces. An example eth5.100

set system flow-accounting interface eth5.100

dfrantzen · July 9, 2020, 9:57am

Hi thanks.

Can i downgrade to a stable version just as easy?

so both the interface and the subinterface should be added?

I thought if i added the “real” interface then it would collect data from all subinterfaces aswell.

Viacheslav · July 9, 2020, 10:24am

I find another bug with subinterfaces

vyos@r-roll:~$ show flow-accounting 
Traceback (most recent call last):
  File "/usr/libexec/vyos/op_mode/flow_accounting_op.py", line 220, in <module>
    _flows_table_print(tabledata)
  File "/usr/libexec/vyos/op_mode/flow_accounting_op.py", line 159, in _flows_table_print
    table_body.append([flow['iface_in_name'], flow['mac_src'], flow['mac_dst'], flow['ip_src'], flow['ip_dst'], flow['port_src'], flow['port_dst'], flow['ip_proto'], flow['tos'], flow['packets'], flow['flows'], flow['bytes'] ])
KeyError: 'ip_proto'

dfrantzen · July 9, 2020, 10:32am

ye got that one to.

Is that solved in a later release?

Viacheslav · July 9, 2020, 11:08am

Not yet.
I created a bug report. You can track it. ref. ⚓ T2695 Flow-accounting bug with subinterfaces

dfrantzen · July 9, 2020, 12:19pm

Thank you.
’
But do you know if i have to add every subinterface to flow-account or is the physical interface enough and then it collects for all?

Viacheslav · July 9, 2020, 1:09pm

@dfrantzen you need to declare each interface/subinterface what you need.
As a workaround, you can try this.

set system flow-accounting interface 'eth5.+'

This will be clear after the fix.

dfrantzen · July 9, 2020, 4:02pm

Hi,

Thank you.

Will give it a try tomorrow.