Results 1 to 6 of 6
  1. #1
    Untanglit
    Join Date
    Aug 2019
    Posts
    23

    Default Netflow time corruption issue

    Has anyone experienced a time issue with Netflow (v9) collection despite NTP working properly and all syslogs having the correct date\time? Most of my Netflow data is corrupted due to the data being sent by the Untangle device having inaccurate dates all over the place.

    When the issue occurs, it does so gradually meaning that not all existing flows are affected at the same time but rather, only new flows are affected which has the effect of the time corruption gradually infecting the Netflow data. I state this because I believe it is a clue as to what the root cause is.

    To help illustrate the issue, I have included 2 flow records in RAW format below. These records were received consecutively and while both records involve the same two hosts, they are from different flows. The first record is for an existing flow and has the correct date of Aug 19, 2021 whereas the second record, the first for that specific flow, has a corrupted date of April 2010 - about 11.35 years in the past.

    In addition, this same Netflow server has 6 collectors grabbing data from several devices from different vendors and they all report properly so this is definitely an Untangle root cause issue...

    Code:
    Flow Record: 
      Flags        =              0x06 FLOW, Unsampled
      export sysid =                 1
      size         =                64
      first        =        1629410162 [2021-08-19 14:56:02]
      last         =        1629410162 [2021-08-19 14:56:02]
      msec_first   =               823
      msec_last    =               825
      src addr     =      192.168.5.74
      dst addr     =          10.1.1.3
      src port     =             61359
      dst port     =              443
      fwd status   =                 0
      tcp flags    =              0x1a .AP.S.
      proto        =                 6 TCP  
      (src)tos     =                 0
      (in)packets  =                 3
      (in)bytes    =               685
      input        =                 0
      output       =                 0
    
    
    Flow Record: 
      Flags        =              0x06 FLOW, Unsampled
      export sysid =                 1
      size         =                64
      first        =        1271310199 [2010-04-14 22:43:19]
      last         =        1271310199 [2010-04-14 22:43:19]
      msec_first   =               419
      msec_last    =               432
      src addr     =          10.1.1.3
      dst addr     =      192.168.5.74
      src port     =              443
      dst port     =             50591
      fwd status   =                 0
      tcp flags    =              0x1b .AP.SF
      proto        =                 6 TCP  
      (src)tos     =                 0
      (in)packets  =                 8
      (in)bytes    =              6506
      input        =                 0
      output       =                 0

  2. #2
    Untanglit
    Join Date
    Aug 2019
    Posts
    23

    Default

    Bump...Is nobody else using Netflow or if you are, then are you not seeing this issue? This is a show-stopper from my perspective...can't use the box if I can't get stats from it...

  3. #3
    Untangler
    Join Date
    May 2008
    Posts
    398

    Default

    Open a ticket by hitting the "?Help" button to the lower right of this page.

  4. #4
    Untanglit
    Join Date
    Aug 2019
    Posts
    23

    Default

    Thx @donhwyo - given my past interactions with UT support, they require admin access to the device which is not an option. We don't allow any vendor to have admin access to our devices or to troubleshoot in our production network. Typically, vendors should mock this up in their own lab...especially with a feature that is one where you turn it on and it should just work...

  5. #5
    Untangler
    Join Date
    May 2008
    Posts
    398

    Default

    Seems either nobody else uses netflow or it just works for them. Seems there should be a way for support to look at it without violating your security policies. Seems like a shortfall on both sides.
    Good luck

  6. #6
    Untanglit
    Join Date
    Aug 2019
    Posts
    23

    Default

    Quote Originally Posted by donhwyo View Post
    Seems either nobody else uses netflow
    I think that is likely the case for the UT user community which is unfortunate given how valuable the data can be. Back to Sophos it is…

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2