sFLOW in community edition problems

[dous...@gmail.com]

I have been using Fastnetmon with netflow from mikrotik without any problems for over 2 years now. But when an attack arrives to Mikrotik Core router, netflow (traffic flow) on mikrotik makes it crash by using excessive CPU cycles.

Thus, we have decided to use sFLOW from a Juniper EX4600 switch and turn off netflow on the mikrotik router.

Now, this is a mess. Without changing any config on fastnetmon side, it gives 10s of false positives every minute and made us crazy. Changed everything on Juniper side from polling intervals to sampling rates but still gives a lot of false positives.

A few questions :

1- Is Fastnetmon community edition not complete for sFLOW ?

2- Are there any special config on Fastnetmon side that we are not aware ?

3- Does fastnetmon advanced gives better support for sflow ?

Please help guys.

Juniper Config:

{master:0}[edit protocols sflow]

root# show                            

polling-interval 10;

sample-rate ingress 2048;

collector 10.1.1.1;

interfaces xe-0/0/0.0;

Fastnetmon Config:

sflow = on

average_calculation_time = 30

ban_for_pps = on

ban_for_bandwidth = on

ban_for_flows = off

threshold_pps = 70000

threshold_mbps = 600

threshold_flows = 3500

threshold_tcp_mbps = 500

threshold_udp_mbps = 490

threshold_icmp_mbps = 10

threshold_tcp_pps = 100000

threshold_udp_pps = 100000

threshold_icmp_pps = 100000

ban_for_tcp_bandwidth = off

ban_for_udp_bandwidth = off

ban_for_icmp_bandwidth = off

ban_for_tcp_pps = off

ban_for_udp_pps = off

ban_for_icmp_pps = off

[Pavel Odintsov]

Hello!

Are you using the latest version of FastNetMon Community? 

I can recommend installing latest one using official installer and then trying again: https://fastnetmon.com/install/

Of course we offer very solid Netflow, IPFIX and sFlow support in all our products. 

--
Follow us on social media: Twitter: https://twitter.com/fastnetmon | Facebook: https://www.facebook.com/fastnetmon/ | LinkedIn: https://www.linkedin.com/company/fastnetmon/
---
You received this message because you are subscribed to the Google Groups "FastNetMon user group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fastnetmon+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/fastnetmon/9b640abf-aa48-4e3d-9a4d-9b32316774dan%40googlegroups.com.

--

Sincerely yours, Pavel Odintsov

[dous...@gmail.com]

Hello Pavel,

Thanks for your response.

First tried on 1.1.7. Upgraded it to 1.2.0 and still have the same problems.

We are stuck on what to do next. There is something wrong either with the Juniper or Fastnetmon sFLOW. 

It has been 3 hours that I have tried nearly all the possible sampling rates and polling intervals.

Also i have tried various average calculation time parameters on Fastnetmon side but still a lot of false positivies.

I can really use some help here.

[Pavel Odintsov]

Hello!

Polling interval is irrelevant, FastNetMon does not use it. 

Sampling rate in the range of 1:1024-1:2048 will be a reasonable setup for many cases.

Can you collect pcap dump of sFlow data and then share with our support using secure form https://support.fastnetmon.com/hc/en-gb/requests/new 

You can collect dump this way;

sudo tcpdump -w sflow_data.pcap -n 'udp dst port 6343'

Just keep it running for around 3-5 minutes and then interrupt via CTRL+C.

Thank you! 

To view this discussion on the web visit https://groups.google.com/d/msgid/fastnetmon/1698812a-04d3-407d-8cac-859b85a308f9n%40googlegroups.com.

[Dogus Yalman]

Thanks Pavel.

I have uploaded the requested file.

[Pavel Odintsov]

Hello!

Thank you!

I was able to decode all data without any issues.

Can you check that rp_filter is set to 0 on your machine and you have no firewall in place?

You can check it this waa: 

sudo sysctl -a|grep rp_filter

[Dogus Yalman]

Hello Pavel;

Thanks a lot for your time.

root@fastnetmon:/root#  sysctl -a|grep rp_filter
net.ipv4.conf.all.arp_filter = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.arp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.ens160.arp_filter = 0
net.ipv4.conf.ens160.rp_filter = 0
net.ipv4.conf.lo.arp_filter = 0
net.ipv4.conf.lo.rp_filter = 0

ufw service seems that it is running but ufw status gives inactive status. No rules are configured

root@fastnetmon:/root# service ufw status
● ufw.service - Uncomplicated firewall
     Loaded: loaded (/lib/systemd/system/ufw.service; enabled; vendor preset: enabled)
     Active: active (exited) since Sat 2020-10-17 07:31:19 EEST; 1 years 1 months ago
       Docs: man:ufw(8)
   Main PID: 628 (code=exited, status=0/SUCCESS)
      Tasks: 0 (limit: 38493)
     Memory: 0B
     CGroup: /system.slice/ufw.service

root@fastnetmon:/root# ufw status verbose
Status: inactive

[Pavel Odintsov]

Hello!

Would be the best option to open ssh access and share with our support team. Can you do it via https://support.fastnetmon.com/hc/en-gb/requests/new ?

[Dogus Yalman]

Hello Pavel;

I have shared the login information.

Thanks again for your time and effort.

[José Manuel Giner]

Just disable the connection tracking in Mikrotik, and the CPU issue will
be fixed.

/ip firewall connection tracking set enabled=no

> --
> Follow us on social media: Twitter: https://twitter.com/fastnetmon
> <https://twitter.com/fastnetmon> | Facebook:
> https://www.facebook.com/fastnetmon/
> <https://www.facebook.com/fastnetmon/> | LinkedIn:
> https://www.linkedin.com/company/fastnetmon/
> <https://www.linkedin.com/company/fastnetmon/>
> ---
> You received this message because you are subscribed to the Google
> Groups "FastNetMon user group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to fastnetmon+...@googlegroups.com

> <mailto:fastnetmon+...@googlegroups.com>.

> To view this discussion on the web visit
> https://groups.google.com/d/msgid/fastnetmon/9b640abf-aa48-4e3d-9a4d-9b32316774dan%40googlegroups.com

> <https://groups.google.com/d/msgid/fastnetmon/9b640abf-aa48-4e3d-9a4d-9b32316774dan%40googlegroups.com?utm_medium=email&utm_source=footer>.

--
José Manuel Giner
https://ginernet.com

[Dogus Yalman]

So let me update this thread for now so that all fastnetmon users can benefit. I finally could get sflow work.

The problem was on the Juniper side where something called adaptive sampling rate was kicking in and was increasing the sample rate every 13secs till it reaches a maximum of 1:20000000 which is a useless sampling rate.

So after contacting Juniper support, they couldnt solve the problem either.

Today after a few tweaks, I made it work .

So here is the solution for Juniper sflow for fastnetmon users:

1- If you configure an interface to participate in sflow, be sure that it is an egress port. Do NOT enable it on the ingress side of your upstream interface.

Because the switch doesnt have any control over the ingress packets, it keeps increasing the sampling rate to protect the switch CPU. 

So enabling sflow on the ingress side of your directly connected interface to your upstream provider wont probably work. Since this is a switch, enable it on the other interface (egress) which connects to your router. 

2- Be sure that you explicitly configure sflow on the interface level and check the adaptive sampling rate by "show sflow interface". ASR is your real sampling rate.

 

Upstream---x--EX4600--y----Router

Dont enable on ingress x. Enable on egress y.

[Pavel Odintsov]

Hello!

Oh, that's pretty bad. Thank you so much for your effort with investigating this.