Netflow on Cisco 5508 Wireless Controler

I have the same issue on a WLC 2504. Please check my topic and try the proposal of Arne Seifert[Paessler Support].

Tell me if that work for you.

https://kb.paessler.com/en/topic/66770-sensor-netflow-is-ok-but-don-t-work

Dear jhallam

Are you using a standard Netflow sensor, or the Netflow Custom sensor? The standard version comes with pre-defined channels, while the Custom sensor needs to have a channel definition entered.

Thanks you for the replies.

Leomonnin, I will check out your link and see if it can solve my issue.

Arne, I am using the standard Netflow v9 sensor.

leomonnin, I reviewed your thread. Did any of the suggestions fix your issue? I have tried everything listed except shortening the active timeouts on the WCL and the sensor. I will look at doing this.

Mine also shows that I have no lost packets.

I have attempted the adjustments leomonnin suggested in his related thread with no luck. I contacted the Cisco Support Forum about changing the active timeout on my Cisco 5508 controller since I could not find the option via the GUI or CLI. I was told that this perimeter was not able to be adjusted in my Wireless controller. I found this odd.

I also found a couple of articles that said the Netflow v9 that the controller sends out was only decodable by Cisco Prime and one other product (Scrutinizer I believe). However, the articles were a couple of years old so I was hoping PRTG had resolved this issue. Any updates?

Any other suggestions?

Dear jhallam

Please contact [email protected]. Please include the error description and a streamlog.

To create that streamlog, please go to the sensor settings and set "Log Stream Data to Disk (for Debugging)" to "All stream data". The output file is usually written to "C:\ProgramData\Paessler\PRTG Network Monitor\StreamLog". Please compress the file using Zip (please no obscure compression algorithm) to attach the compressed file to your email. The compressed Zip file should be below 10 MB in size.

Arne Seifert, Thank you. I have a ticket open with support and have sent in the stream data, along with my Wireshark capture and screenshots. Hoping for a fix.

Dear jhallam

If you got no email reply by now, I did not get your email, in that case please send it again. Please note that [email protected] allows only up to 10 MB of file attachments.

The compressed folder with all the scans (WireShark, Netflow v9 Tester and log of data from sensor) is 4MB. I sent it as an attachment reply to my case email which is Case PAE616062.

I can send it again if needed, but I didn't want 2 open tickets for 1 issue. Please advise.

Jeremy

Dear Jeremy

It looks like you got already contacted by my colleagues.

I received word back regarding this issue. It was as follows: "Hi Jeremy,

I just analyzed the pcap file as well as the screenshot you forwarded and it appears that the device does not send any NetFlow templates. This is the reason why the flow packets cannot be decrypted and why the sensor classifies all traffic as "other". Please have a look at the attached screenshot of the capture.

The templates are mandatory at this point, so this setting needs to be changed in the flow sending device so that PRTG is able to decode them.

With kind regards / Mit freundlichen Gruessen"

I responded by asking what it would take to make a custom sensor that can decode these Netflow packets. It has been accomplished by other Netflow Analyzer product, so I would like to see Paessler do this as well.

I will post the response I get.

Jeremy

I received a reply from Paessler. Please see below:

"Dear Jeremy,

I'm afraid that PRTG will not be able to decode the flows without the templates, this cannot be solved by a custom sensor. I'd recommend to get in contact with the manufacturer of the device and request why there are no templates sent.

Working with MIB files will allow you to request information via SNMP. Getting values out of a MIB file can be time consuming and tricky. To ease this process you can use our MIB Importer ("https://www.paessler.com/tools/mibimporter"). You can convert the manufacturer's MIB-files to OIDlibs, which can be imported in PRTG. Furthermore you can use the MIB Importer to browse for values of your interest. After creating the OIDlib you can add an "SNMP Library Sensor" ("https://www.paessler.com/manuals/prtg/snmp_library_sensor") and choose the sensors you want to create.

For more detailed information and a step by step guide which includes screenshots, please have a look here: https://kb.paessler.com/en/topic/65638 Please note that those results will not be as detailed as the flow information, so getting in contact with Cisco might be the better way at this point.

With kind regards / Mit freundlichen Gruessen"

I will be contacting Cisco to see if a template is available.

Jeremy

Dear Jeremy

PRTG can only decode flows it has templates for. If the device uses templates the sensor can't decode (this is the case for rather special appliances) PRTG won't show anything.

Dear Jeremy

Thank you for publicizing this information.

Hi there,

If you're looking to monitor a WLC, please have a look here as we have a custom device template for it now:

• How can I monitor a Cisco WLC deployment with PRTG?

Best Regards,
Luciano Lingnau [Paessler Support]