NA No Data Found

chendrickson · Post by **chendrickson** » Tue Feb 09, 2016 4:51 pm

I know this is a hot topic, and there are plenty of posts on it, but I have tried everything from those other posts and am still getting "No Data Found" for Destination and Source IP's. I am collecting data from Forinet (Fortigate) Firewalls. The data is hitting the NA server, and I have a ton of nfcapd files. I have had the system up and monitoring for a few days now collecting data. I have deleted and added back the sources several times. Updated/Upgraded nfdump, even though I already had the correct version. Times are all correct on NA server and Fortigate's.

However, the time from the nfdump is incorrect. It is showing as about 8 days ahead. I have attached a few screen shots, one from our fortigate and one from NA server showing current date and time, along with the time stamp from last nfdump I was conducting. Time is a few minutes different due to me typing the commands and getting distracted, they are both the same.

Any help is appreciated. I am not sure where it would be picking this date and time up from.

Thanks

bwallace · Post by **bwallace** » Wed Feb 10, 2016 12:26 pm

What model/version are your Fortinets?

This thread @ Fortinet talks about the same behavior, but suggests the problem may lie with particular Fortinet models /versions:

https://forum.fortinet.com/tm.aspx?m=127604

This may be overkill, but perhaps it would be helpful to run a set simultaneous captures on the Nagios server & the Fortinet while these flows are sent, and compare the two. I'd be happy to take a look so PM me to transfer the 'caps - please don't post them here.

chendrickson · Post by **chendrickson** » Wed Feb 10, 2016 2:46 pm

We are currently running 80C, 90D, and 200B devices. Our firmware is ranging from FortiOS 4.0 to FortiOS 5.2.6. Netflow was not supported until FortiOS 5.2.x, so I know anything running below that version is a no go. Just a note, I have inherited this environment from a managed service provider, I have to play with the cards I am dealt. With ones I am monitoring, I have a FortiOS 5.2.1, FortiOS 5.2.3, FortiOS 5.2.5, FortiOS 5.2.6. They are all doing the same things with the date, not all the same date, some may be 5 days and others upwards of 10 days.

As for the captures, you just looking for some wireshark captures? Forgive my ignorance, I am new to the forums.

bwallace · Post by **bwallace** » Wed Feb 10, 2016 5:51 pm

Thanks for clarifying and no worries about forum etiquette or whatever (so long as you don't swear

)

Lets hold off on the captures for now and do some rudimentary checks real quick. In the NNA UI, when on the Summary tab for a particular source (main page --Sources > select a source name) are you seeing the tables on the bottom of the page but no Bandwidth graph? --provide a screenshot if possible --

Also, could you post the output of (run on the NNA server) 'ps -ef'

chendrickson · Post by **chendrickson** » Thu Feb 11, 2016 2:48 pm

Here is the output from ps -ef, and a screen shot of what I am seeing.

However, I do have one of my devices that just started working yesterday afternoon. It was not displaying any data all day long, but then boom, graph and top 5 started showing up. It was very strange, but it has been working since. The difference between the one that is working and the one that is not, is the firmware version.

Code: Select all

UID        PID  PPID  C STIME TTY          TIME CMD
root         1     0  2 11:23 ?        00:00:01 /sbin/init
root         2     0  0 11:23 ?        00:00:00 [kthreadd]
root         3     2  0 11:23 ?        00:00:00 [migration/0]
root         4     2  0 11:23 ?        00:00:00 [ksoftirqd/0]
root         5     2  0 11:23 ?        00:00:00 [migration/0]
root         6     2  0 11:23 ?        00:00:00 [watchdog/0]
root         7     2  0 11:23 ?        00:00:00 [events/0]
root         8     2  0 11:23 ?        00:00:00 [cgroup]
root         9     2  0 11:23 ?        00:00:00 [khelper]
root        10     2  0 11:23 ?        00:00:00 [netns]
root        11     2  0 11:23 ?        00:00:00 [async/mgr]
root        12     2  0 11:23 ?        00:00:00 [pm]
root        13     2  0 11:23 ?        00:00:00 [sync_supers]
root        14     2  0 11:23 ?        00:00:00 [bdi-default]
root        15     2  0 11:23 ?        00:00:00 [kintegrityd/0]
root        16     2  0 11:23 ?        00:00:00 [kblockd/0]
root        17     2  0 11:23 ?        00:00:00 [kacpid]
root        18     2  0 11:23 ?        00:00:00 [kacpi_notify]
root        19     2  0 11:23 ?        00:00:00 [kacpi_hotplug]
root        20     2  0 11:23 ?        00:00:00 [ata/0]
root        21     2  0 11:23 ?        00:00:00 [ata_aux]
root        22     2  0 11:23 ?        00:00:00 [ksuspend_usbd]
root        23     2  0 11:23 ?        00:00:00 [khubd]
root        24     2  0 11:23 ?        00:00:00 [kseriod]
root        25     2  0 11:23 ?        00:00:00 [md/0]
root        26     2  0 11:23 ?        00:00:00 [md_misc/0]
root        27     2  0 11:23 ?        00:00:00 [khungtaskd]
root        28     2  0 11:23 ?        00:00:00 [kswapd0]
root        29     2  0 11:23 ?        00:00:00 [ksmd]
root        30     2  0 11:23 ?        00:00:00 [khugepaged]
root        31     2  0 11:23 ?        00:00:00 [aio/0]
root        32     2  0 11:23 ?        00:00:00 [crypto/0]
root        37     2  0 11:23 ?        00:00:00 [kthrotld/0]
root        39     2  0 11:23 ?        00:00:00 [kpsmoused]
root        40     2  0 11:23 ?        00:00:00 [usbhid_resumer]
root       171     2  0 11:23 ?        00:00:00 [hv_vmbus_con/0]
root       172     2  0 11:23 ?        00:00:00 [scsi_eh_0]
root       173     2  0 11:23 ?        00:00:00 [scsi_eh_1]
root       237     2  0 11:23 ?        00:00:00 [jbd2/sda1-8]
root       238     2  0 11:23 ?        00:00:00 [ext4-dio-unwrit]
root       312     1  0 11:23 ?        00:00:00 /sbin/udevd -d
root       576     2  0 11:23 ?        00:00:00 [flush-8:0]
root       579   312  0 11:23 ?        00:00:00 /sbin/udevd -d
root       580   312  0 11:23 ?        00:00:00 /sbin/udevd -d
root       585     2  0 11:23 ?        00:00:00 [kstriped]
root       632     2  0 11:23 ?        00:00:00 [kauditd]
root       795     1  0 11:23 ?        00:00:00 auditd
root       817     1  0 11:23 ?        00:00:00 /sbin/rsyslogd -i /var/run/syslogd.pid -c 5
dbus       832     1  0 11:23 ?        00:00:00 dbus-daemon --system
root       887     1  0 11:23 ?        00:00:00 /usr/sbin/hv_kvp_daemon
root       892     2  0 11:23 ?        00:00:00 [cqueue]
root       902     1  0 11:23 ?        00:00:00 /usr/sbin/hv_vss_daemon
root       918     1  0 11:23 ?        00:00:00 /usr/sbin/sshd
root       955     1  0 11:23 ?        00:00:00 /bin/sh /usr/bin/mysqld_safe --datadir=/var/lib/mysql --socket=/var/lib/mysql/mysql.sock --pid-file=/var/run/mysqld/mysqld.pid --basedir=/usr --user=mysql
mysql     1057   955  0 11:23 ?        00:00:00 /usr/libexec/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --log-error=/var/log/mysqld.log --pid-file=/var/run/mysqld/mysqld.pid --socket=/var/lib/mysql/mysql.sock
root      1094     1  0 11:23 ?        00:00:00 sendmail: accepting connections
smmsp     1103     1  0 11:23 ?        00:00:00 sendmail: Queue runner@01:00:00 for /var/spool/clientmqueue
root      1115     1  0 11:23 ?        00:00:00 /usr/sbin/httpd
root      1127     1  0 11:23 ?        00:00:00 crond
apache    1134  1115  0 11:23 ?        00:00:00 /usr/sbin/httpd
apache    1135  1115  0 11:23 ?        00:00:00 /usr/sbin/httpd
apache    1136  1115  0 11:23 ?        00:00:00 /usr/sbin/httpd
apache    1137  1115  0 11:23 ?        00:00:00 /usr/sbin/httpd
apache    1138  1115  0 11:23 ?        00:00:00 /usr/sbin/httpd
apache    1139  1115  0 11:23 ?        00:00:00 /usr/sbin/httpd
apache    1140  1115  0 11:23 ?        00:00:00 /usr/sbin/httpd
apache    1141  1115  0 11:23 ?        00:00:00 /usr/sbin/httpd
nna       1152     1  0 11:23 ?        00:00:00 /usr/local/bin/sfcapd -I 3 -l /usr/local/nagiosna/var/FortigatesFlow/flows -p 2055 -x /usr/local/nagiosna/bin/reap_files.py %d %f %i -P /usr/local/nagiosna/var/FortigatesFlow/2055.pid -D -e -w -z
nna       1153  1152  0 11:23 ?        00:00:00 /usr/local/bin/sfcapd -I 3 -l /usr/local/nagiosna/var/FortigatesFlow/flows -p 2055 -x /usr/local/nagiosna/bin/reap_files.py %d %f %i -P /usr/local/nagiosna/var/FortigatesFlow/2055.pid -D -e -w -z
nna       1161     1  0 11:23 ?        00:00:00 /usr/local/bin/nfcapd -I 8 -l /usr/local/nagiosna/var/46BowlingGreen_KY_Fortigate/flows -p 9700 -x /usr/local/nagiosna/bin/reap_files.py %d %f %i -P /usr/local/nagiosna/var/46BowlingGreen_KY_Fortigate/9700.pid -D -e -w -z
nna       1162  1161  0 11:23 ?        00:00:00 /usr/local/bin/nfcapd -I 8 -l /usr/local/nagiosna/var/46BowlingGreen_KY_Fortigate/flows -p 9700 -x /usr/local/nagiosna/bin/reap_files.py %d %f %i -P /usr/local/nagiosna/var/46BowlingGreen_KY_Fortigate/9700.pid -D -e -w -z
nna       1170     1  0 11:23 ?        00:00:00 /usr/local/bin/nfcapd -I 13 -l /usr/local/nagiosna/var/92FranklinIT_TN_Fortigate/flows -p 9702 -x /usr/local/nagiosna/bin/reap_files.py %d %f %i -P /usr/local/nagiosna/var/92FranklinIT_TN_Fortigate/9702.pid -D -e -w -z
nna       1171  1170  0 11:23 ?        00:00:00 /usr/local/bin/nfcapd -I 13 -l /usr/local/nagiosna/var/92FranklinIT_TN_Fortigate/flows -p 9702 -x /usr/local/nagiosna/bin/reap_files.py %d %f %i -P /usr/local/nagiosna/var/92FranklinIT_TN_Fortigate/9702.pid -D -e -w -z
nna       1179     1  0 11:23 ?        00:00:00 /usr/local/bin/nfcapd -I 16 -l /usr/local/nagiosna/var/50FishersIN/flows -p 27500 -x /usr/local/nagiosna/bin/reap_files.py %d %f %i -P /usr/local/nagiosna/var/50FishersIN/27500.pid -D -e -w -z
nna       1180  1179  0 11:23 ?        00:00:00 /usr/local/bin/nfcapd -I 16 -l /usr/local/nagiosna/var/50FishersIN/flows -p 27500 -x /usr/local/nagiosna/bin/reap_files.py %d %f %i -P /usr/local/nagiosna/var/50FishersIN/27500.pid -D -e -w -z
nna       1188     1  0 11:23 ?        00:00:00 /usr/local/bin/nfcapd -I 17 -l /usr/local/nagiosna/var/63GallatinCorpTN/flows -p 9701 -x /usr/local/nagiosna/bin/reap_files.py %d %f %i -P /usr/local/nagiosna/var/63GallatinCorpTN/9701.pid -D -e -w -z
nna       1189  1188  0 11:23 ?        00:00:00 /usr/local/bin/nfcapd -I 17 -l /usr/local/nagiosna/var/63GallatinCorpTN/flows -p 9701 -x /usr/local/nagiosna/bin/reap_files.py %d %f %i -P /usr/local/nagiosna/var/63GallatinCorpTN/9701.pid -D -e -w -z
nna       1196     1  0 11:23 ?        00:00:00 /usr/local/bin/nfcapd -I 18 -l /usr/local/nagiosna/var/85AndersonSC/flows -p 9703 -x /usr/local/nagiosna/bin/reap_files.py %d %f %i -P /usr/local/nagiosna/var/85AndersonSC/9703.pid -D -e -w -z
nna       1197  1196  0 11:23 ?        00:00:00 /usr/local/bin/nfcapd -I 18 -l /usr/local/nagiosna/var/85AndersonSC/flows -p 9703 -x /usr/local/nagiosna/bin/reap_files.py %d %f %i -P /usr/local/nagiosna/var/85AndersonSC/9703.pid -D -e -w -z
root      1218     1  0 11:23 tty2     00:00:00 /sbin/mingetty /dev/tty2
root      1220     1  0 11:23 tty3     00:00:00 /sbin/mingetty /dev/tty3
root      1222     1  0 11:23 tty4     00:00:00 /sbin/mingetty /dev/tty4
root      1224     1  0 11:23 tty5     00:00:00 /sbin/mingetty /dev/tty5
root      1226     1  0 11:23 tty6     00:00:00 /sbin/mingetty /dev/tty6
root      1228     1  0 11:23 ?        00:00:00 /usr/sbin/console-kit-daemon --no-daemon
root      1395     1  0 11:23 ?        00:00:00 login -- root     
root      1399  1395  0 11:23 tty1     00:00:00 -bash
root      1412  1127  0 11:24 ?        00:00:00 CROND
nna       1413  1412  0 11:24 ?        00:00:00 /bin/sh -c /usr/bin/php -q /var/www/html/nagiosna/www/index.php cmdsubsys > /usr/local/nagiosna/var/cmdsubsys.log 2>&1
nna       1414  1413  1 11:24 ?        00:00:00 /usr/bin/php -q /var/www/html/nagiosna/www/index.php cmdsubsys
root      1416  1399  0 11:24 tty1     00:00:00 ps -ef

bwallace · Post by **bwallace** » Fri Feb 12, 2016 11:46 am

Thanks for the ps -ef output, just wanted to double check what else is running on that machine. I know you mentioned all the firmware versions and models earlier, but what are the firmware versions (& models) on the two specific devices in question here - working vs non-working? I'll need to know this in order to do some investigating.

chendrickson · Post by **chendrickson** » Fri Feb 12, 2016 3:03 pm

Working - Fotigate 90D running FortiOS 5.2.6

Not-Working - Fortigate 80C running FortiOS 5.2.1
Not-Working - Fortigate 200B running FortiOS 5.2.3
Not-Working - Fortigate 200B running FortiOS 5.2.5

If you need something specific from one of the non working ones, let me know which one and we can go with that one. I am still collecting data on all of them at this time.

chendrickson · Post by **chendrickson** » Mon Feb 15, 2016 10:02 am

Interesting find this morning when I arrived at my office. The firewall running the 5.2.6 that was working, is no longer working. It is now showing the improper datetimestamp in the nfdump.

I am baffled by this now. Maybe FortiOS just is not compatible?????

Post by **tgriep** » Mon Feb 15, 2016 5:59 pm

Is there a chance you can login to the Fotigate 90D running FortiOS 5.2.6 and see if you can change the flow version to Version 5 and see if that helps out on the issue?

chendrickson · Post by **chendrickson** » Tue Feb 16, 2016 9:18 am

From all the research I have done, I can not find a way to change the netflow version. According to Fortinet's documentation, Netflow v9 started being supported in FortiOS v5.2.x. Before that Netflow was not supported, it only allowed sflow.

Nagios Support Forum

NA No Data Found

NA No Data Found

Re: NA No Data Found

Re: NA No Data Found

Re: NA No Data Found

Re: NA No Data Found

Re: NA No Data Found

Re: NA No Data Found

Re: NA No Data Found

Re: NA No Data Found

Re: NA No Data Found