NNA on AWS

pchua · Post by **pchua** » Tue Aug 04, 2015 6:04 pm

Hi all,

I installed NNA on a CENTOS 7 server inside a VPC. I created another CENTOS 7 server on the same VPC and installed fprobe to send netflow data to the NNA server.

However I am not getting any graph or traffic information. Is there anything I am missing?

Thanks!

Post by **eloyd** » Wed Aug 05, 2015 8:46 am

Firewall rule inside your VPC needs to allow traffic on the port(s) you used. Did youcsrt that up?

pchua · Post by **pchua** » Wed Aug 05, 2015 10:56 am

I have set the Security Group to allow UDP incoming traffic to port 49152 (the port I'm using to send netflow data to my NNA server) and I've setup my source on the NNA to receive from this port. All outbound traffic is permitted.

Is there any other ports I need to open up for NNA for the traffic graphs to show?

Post by **eloyd** » Wed Aug 05, 2015 11:13 am

Are you running iptables on the machine itself? If so, turn it off just to check.

pchua · Post by **pchua** » Wed Aug 05, 2015 12:23 pm

I disabled iptables on the NNA server. So far I still see no change.

jolson · Post by **jolson** » Wed Aug 05, 2015 4:04 pm

Try running the following command on your NNA Server:

Code: Select all

tcpdump -n host x.x.x.x and dst port xxxx

Where x.x.x.x = the IP address of the host you're sending flows from, and xxxx = the port that Nagios Network Analyzer is listening on. Do you see information coming in from your remote host?

Post by **eloyd** » Wed Aug 05, 2015 4:10 pm

I would also verify that you're sending to your internal VPC addresses, not the external DNS from your test client. Can you SSH from the client to the server? Can you ping the server from the client?

pchua · Post by **pchua** » Wed Aug 05, 2015 6:52 pm

Here is the sample output from the tcpdump:

It looks like my source server (10.0.0.91) isn't sending netflow data to NNA server (10.0.0.44) at port 49152 as I initially requested.

I ran

fprobe 10.0.0.44:49152

on my source server but it isn't sending correctly I guess. Reason being is that I do not get any prompts after I run this line so I wasn't sure if it successfully went through.

Any other thoughts on why it won't run? Also, not sure why it is using ports 53921 based on the dump...

23:45:47.968044 IP 10.0.0.91.27016 > 10.0.0.44.53921: Flags [S.], seq 1293421774, ack 1002362237, win 17898, options [mss 8961,sackOK,TS val 98708333 ecr 606098569,nop,wscale 7], length 0
23:45:47.968378 IP 10.0.0.44.53921 > 10.0.0.91.27016: Flags [.], ack 1, win 141, options [nop,nop,TS val 606098570 ecr 98708333], length 0
23:45:47.968445 IP 10.0.0.44.53921 > 10.0.0.91.27016: Flags [P.], seq 1:59, ack 1, win 141, options [nop,nop,TS val 606098570 ecr 98708333], length 58
23:45:47.968452 IP 10.0.0.91.27016 > 10.0.0.44.53921: Flags [.], ack 59, win 140, options [nop,nop,TS val 98708334 ecr 606098570], length 0
23:45:47.968698 IP 10.0.0.91.27016 > 10.0.0.44.53921: Flags [P.], seq 1:459, ack 59, win 140, options [nop,nop,TS val 98708334 ecr 606098570], length 458
23:45:47.969024 IP 10.0.0.44.53921 > 10.0.0.91.27016: Flags [.], ack 459, win 149, options [nop,nop,TS val 606098570 ecr 98708334], length 0
23:45:47.969182 IP 10.0.0.44.53921 > 10.0.0.91.27016: Flags [P.], seq 59:117, ack 459, win 149, options [nop,nop,TS val 606098570 ecr 98708334], length 58
23:45:47.969260 IP 10.0.0.91.27016 > 10.0.0.44.53921: Flags [P.], seq 459:599, ack 117, win 140, options [nop,nop,TS val 98708335 ecr 606098570], length 140
23:45:47.969607 IP 10.0.0.44.53921 > 10.0.0.91.27016: Flags [P.], seq 117:264, ack 599, win 157, options [nop,nop,TS val 606098571 ecr 98708335], length 147
23:45:47.969748 IP 10.0.0.91.27016 > 10.0.0.44.53921: Flags [P.], seq 599:746, ack 264, win 149, options [nop,nop,TS val 98708335 ecr 606098571], length 147
23:45:47.972034 IP 10.0.0.44.53921 > 10.0.0.91.27016: Flags [F.], seq 264, ack 746, win 166, options [nop,nop,TS val 606098573 ecr 98708335], length 0
23:45:47.972129 IP 10.0.0.91.27016 > 10.0.0.44.53921: Flags [F.], seq 746, ack 265, win 149, options [nop,nop,TS val 98708338 ecr 606098573], length 0
23:45:47.972358 IP 10.0.0.44.53921 > 10.0.0.91.27016: Flags [.], ack 747, win 166, options [nop,nop,TS val 606098574 ecr 98708338], length 0
23:45:47.982375 IP 10.0.0.44 > 10.0.0.91: ICMP echo request, id 8828, seq 0, length 76
23:45:47.982395 IP 10.0.0.91 > 10.0.0.44: ICMP echo reply, id 8828, seq 0, length 76
23:45:47.984241 IP 10.0.0.44 > 10.0.0.91: ICMP echo request, id 8828, seq 1, length 76
23:45:47.984251 IP 10.0.0.91 > 10.0.0.44: ICMP echo reply, id 8828, seq 1, length 76
23:45:47.984855 IP 10.0.0.44 > 10.0.0.91: ICMP echo request, id 8828, seq 2, length 76
23:45:47.984864 IP 10.0.0.91 > 10.0.0.44: ICMP echo reply, id 8828, seq 2, length 76
23:45:47.986855 IP 10.0.0.44 > 10.0.0.91: ICMP echo request, id 8828, seq 3, length 76
23:45:47.986867 IP 10.0.0.91 > 10.0.0.44: ICMP echo reply, id 8828, seq 3, length 76
23:45:47.987271 IP 10.0.0.44 > 10.0.0.91: ICMP echo request, id 8828, seq 4, length 76
23:45:47.987277 IP 10.0.0.91 > 10.0.0.44: ICMP echo reply, id 8828, seq 4, length 76

Post by **eloyd** » Wed Aug 05, 2015 6:57 pm

Make sure you are sending data about the correct interface. For instance, to send data about eth0, you need to do this:

Code: Select all

fprobe -i eth0 10.0.0.44:49152

pchua · Post by **pchua** » Wed Aug 05, 2015 8:50 pm

I've tried using

Code: Select all

fprobe -i eth0 10.0.0.44:49152

but I still get the same results. No traffic graph on NNA server and tcpdump doesn't show traffic going to 49152.

It seems that fprobe might not be sending netflow data correctly, or I am missing a collector on my NNA server side (just to be sure, once NNA is installed we don't need any other probes right?). Also just to mention that I have Nagios XI installed on the same NNA server, not sure if this makes a difference.

I will try to use a different netflow probe and see if the problem lies within the fprobe app...

Nagios Support Forum

NNA on AWS

NNA on AWS

Re: NNA on AWS

Re: NNA on AWS

Re: NNA on AWS

Re: NNA on AWS

Re: NNA on AWS

Re: NNA on AWS

Re: NNA on AWS

Re: NNA on AWS

Re: NNA on AWS