robcowart
commented
5 years ago Interesting. I will have to setup a similar environment and test it myself. Thanks for the heads up.
Closed nzurku closed 5 years ago
robcowart
commented
5 years ago Interesting. I will have to setup a similar environment and test it myself. Thanks for the heads up.
This might be unneeded, but had I come across this I would have saved myself probably 3 hours of pulling my hair out.
In our environment, the Elastiflow setup has multiple network interfaces, but our Juniper MX routers (exporting IPFIX packets) are coming in from a subnet out on "the internet" which is a few tiers of routing upstream.
After setting up Logstash to receive on X.X.X.X:5003 where I expected traffic, I was greeted with tcpdump showing me good flow data being received, but silently being dropped by something before it gets to Logstash.
It turns out since this traffic would have taken the default route (out another interface connected to internal management), it would not accept these UDP packets from our transit flow interface. There wouldn't need to be return traffic, but some safety within linux/logstash trips here.
@phixit deserves credit for this lead: https://github.com/logstash-plugins/logstash-codec-netflow/issues/95#issuecomment-336530136
I simply added some routes to get to our Junipers via the flow interface and things sprung to life.
Perhaps documentation should include some warnings on this, it's a very silent failure that makes you question your sanity and skill level. :(