[j-nsp] Juniper Netflow

Colin House colin at restecp.com
Thu Sep 3 16:54:55 EDT 2009 

Servet wrote:
> 
> Hi Guys
> 
> i have a problem with juniper netflow traffic values, i think there is no problem about the config and flow-analyser. If i use a cisco device, the results of snmp polls and results of the flow-analyser are similar 
> But in juniper; i get 180 mbit/s traffic value with SNMP requests from my juniper MX-960 router, but netflow says me it is 120mbit. Also my sampling rate is 1.
> You can see config below, do you have any idea?  why i can't get similar results from snmp and netflow
> Kind regards
> 
>   
> 
> sampling {
>     input {
>         family inet {
>             rate 1;
>             run-length 1;
>             max-packets-per-second 65535;
>         }
>     }
>     output {
>         cflowd x.x.x.x {
>             port 9996;
>             version 5;
>             autonomous-system-type origin;
>         }
>         flow-inactive-timeout 600;
>         flow-active-timeout 60;
>         interface sp-4/1/0 {
>             source-address y.y.y.y;
>         }
>     }
> }
> _______________________________________________


We recently had an interesting issue which sounds similar to yours after
upgrading a M20 to a MX960.  Our sampling configuration remained the
same across the upgrade but with the new device we started seeing
discrepancies between netflow & snmp counters.

Long story short, running a snoop on the collector showed all traffic
was being received but flow-capture was still complaining about missing
flows. Are you running flow-tools? if so, have you checked the log for
errors? We were seeing errors like this: flow-capture[8266]: [ID 895957
local6.info] ftpdu_seq_check(): src_ip=w.x.y.z dst_ip=a.b.c.d
d_version=5 expecting=23389991 received=23390021 lost=30

We found that the netflow traffic coming out of the router was quite
bursty and the top of the burst corresponded with lost flows in the
logs.  Our current workaround is to use a dedicated interface for the
netflow traffic and apply a shaping rate to said interface.  We found
that approx 3m was enough to get all the traffic through and we still
aren't losing flows at 10m. Obviously not a permanent solution but it
should work long enough to let us figure out what's going wrong with the
collector.

Hope this helps,
Col

More information about the juniper-nsp mailing list