Troubleshooting
Problem
There is Flow data coming in from a Cisco firewall, but it is not seen in the Network Activity tab.
Symptom
No flows are displayed in the Network Activity tab for the affected Flow Source.
Cause
The Cisco device is not sending template packets.
Diagnosing The Problem
From a command line, run the tcpdump filtered command below for at least 10 minutes for the affected flow source
Keep it running for at least 30 minutes. This needs to be run on the appliance collecting flows. If you don't see packets coming in, see the section "Resolving the problem".
tcpdump -i eth0 -nneXXs90 port <port#> and host <ipaddress> and 'ether[62:2] = 0x0000'Keep it running for at least 30 minutes. This needs to be run on the appliance collecting flows. If you don't see packets coming in, see the section "Resolving the problem".
Resolving The Problem
Netflow v9 uses templates to help determine what data is being sent in the packets. The templates come out only at set intervals. Without the template packets, qflow will not understand what it is receiving.
You need to contact your Cisco Administrator and ask them to configure the device to send the template packets.
You need to contact your Cisco Administrator and ask them to configure the device to send the template packets.
[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Network Activity","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
02 February 2021
UID
swg21682507