Hello, I am troubleshooting an issue where I have 3 pf boxes that have (apart from different flowsrc and flowdst port info) the exact same configuration. I am only receiving data from one of them. I have created firewall rules for the netflow traffic to transit the network, and validated the path is unfiltered using netcat (nc -s <flowsrc ip> -u <flowdst ip> <dst port> )while running tcpdump to capture the data on the collector. I can see the nc test as well as the working data arriving on the collector fine. I have also tcpdumped on the sensor itself and on the working pflow sensor, I can see the traffic leaving for the collector. On the other 2 I see no traffic matching a tcpdump filter to the collector. I used the set state-defaults pflow statement in all 3 pf.conf files and reloaded the files via pfctl -f /etc/pf.conf. I have also validated that pfctl -sr now shows (pflow) indicators for rules. Lastly I have ifconfig'd the interfaces up/down.
At this point I am completely uncertain what could possibly be wrong, why I am not seeing any data being generated, and am nearly at the point where I suspect it might be rectified by a reboot. Is there something else I can troubleshoot? I should note that I haven't Flushed the ruleset, and wanted to do that and or a reboot as a last resort. Can anyone suggest how to go about identifying the issue?
