Hello Paolo, Thank You for answer - I'm using version 1.5.0 but I checked it with version from cvs too and the problem was exactly the same. I've done different test - replicate traffic received from junipers to loopback and from there I used flow-tools to send traffic to nfacctd - the results were the same. It seems that nfacctd where traffic is received is making some problems. In another step I split configuration: in my original nfacctd file I left all other data sources - this is my config:
daemonize: true debug: false pidfile: /var/run/nfacctd.pid syslog: daemon ! aggregate: tag, src_as, dst_as, peer_src_as, peer_dst_as, peer_src_ip, peer_dst_ip, in_iface, out_iface nfprobe_version: 10 nfacctd_ip: x.x.x.x nfacctd_port: 2077 nfacctd_time_new: true nfacctd_as_new: fallback nfacctd_net: fallback nfacctd_disable_checks: true nfacctd_renormalize: true pre_tag_map: /etc/pmacct/pretag.map sampling_map: /etc/pmacct/sampling.map plugins: mysql[DATA1], mysql[DATA2], mysql[DATA3], mysql[DATA4], mysql[DATA5] plugin_pipe_size: 4096000 plugin_buffer_size: 4096 pre_tag_filter[DATA1]: 701 pre_tag_filter[DATA2]: 501 pre_tag_filter[DATA3]: 301 pre_tag_filter[DATA4]: 711 pre_tag_filter[DATA5]: 901 bgp_daemon: true bgp_daemon_ip: x.x.x.x bgp_daemon_max_peers: 10 bgp_peer_src_as_type: bgp bgp_src_as_path_type: bgp sql_optimize_clauses: true sql_dont_try_update: true sql_multi_values: 1024000 sql_db: pmacctdb sql_host: localhost sql_passwd: very_secure_password sql_table_version: 7 sql_table_type: bgp sql_cache_entries: 256000 sql_history_roundoff[DATA1]: m sql_history[DATA1]: 1m sql_refresh_time[DATA1]: 60 sql_table[DATA1]: acct_bgp_DATA1_IN_%Y%m%d_%H sql_table_schema[DATA1]: /etc/pmacct/schema/acct_bgp_data1.schema for DATAx sql settings are exactly the same only table and schema file is different - and one of the flows which is replicated I configured in second config file: daemonize: true debug: true pidfile: /var/run/nfacctd_2.pid syslog: daemon ! aggregate: tag, src_as, dst_as, peer_src_as, peer_dst_as, peer_src_ip, peer_dst_ip, in_iface, out_iface nfprobe_version: 5 nfacctd_ip: y.y.y.y nfacctd_port: 2088 nfacctd_time_new: true nfacctd_as_new: fallback nfacctd_net: fallback nfacctd_disable_checks: true nfacctd_renormalize: true pre_tag_map: /etc/pmacct/pretag.map sampling_map: /etc/pmacct/sampling.map plugins: mysql[DATA10] plugin_pipe_size: 4096000 plugin_buffer_size: 4096 pre_tag_filter[DATA10]: 801 bgp_daemon: true bgp_daemon_ip: y.y.y.y bgp_daemon_max_peers: 10 bgp_peer_src_as_type: bgp bgp_src_as_path_type: bgp sql_optimize_clauses: true sql_dont_try_update: true sql_multi_values: 1024000 sql_db: pmacctdb sql_host: localhost sql_passwd: very_strong_password sql_table_version: 7 sql_table_type: bgp sql_cache_entries: 256000 sql_history_roundoff[DATA10]: m sql_history[DATA10]: 1m sql_refresh_time[DATA10]: 60 sql_table[DATA10]: acct_bgp_DATA10_IN_%Y%m%d_%H sql_table_schema[DATA10]: /etc/pmacct/schema/acct_bgp_data10.schema it's almost exactly the same - the difference is only in nfprobe_version and IP addresses of course - hard to say but maybe there is some problem with nfprobe version but in first config I have configured nfprobe_version: 10 and receive flows from version 5 and data is counted correctly After I split configuration in two files everything is working fine Before split I even checed data in sql - made simple sql query to count bytes from table and there was a difference - when two flows was send to nfacctd sum of bytes was lower then there was send only one flow In this case I can say there is no problem with flows replication - currently tee is working fine - nfacctd is suspect ;) but logs are clear, no error, no packet drops on interface, small load on machine - any ideas how to find the issue ? Best regards Adam Bogdan 2015-05-13 18:26 GMT+02:00 Paolo Lucente <[email protected]>: > Hi Adam, > > Reading about your problem, i'm at a loss too. Can you please further > refine the issue by looking, say with tcpdump, what gets replicated? > Maybe we discover one of the two plugins stops teeing alltogether? What > pmacct version are you using? > > Cheers, > Paolo > > On Thu, May 07, 2015 at 04:49:48PM +0200, Adam Bogdan wrote: > > Hi, > > > > I have some odd problem > > This is what I have - Juniper router with logical-systems - I have some > > routes (BGP sessions) in primary routing table (non LS) and different > > routing table in one logical-system. > > I set up a BGP sessions from pmacct to both "routers" (non-LS and LS). > > Juniper export all flows with IP address from non-LS - because I need to > > resolve flows based on BGP in LS I'm doing this like this: > > flows are send to IP e.g. a.a.a.a on port 3000 from there I replicate > flows > > to 127.0.0.1 to ports 5000 and 6000 > > Then I run two tee plugins with this configuration: > > nfacctd_port: 7000 > > nfacctd_ip: 127.0.0.1 > > > > plugins: tee[lo5] > > > > tee_receiver[lo5]: b.b.b.b:2001 > > tee_source_ip[lo5]: c.c.c.c > > tee_transparent[lo5]: false > > > > and second config: > > nfacctd_port: 6000 > > nfacctd_ip: 127.0.0.1 > > > > plugins: tee[lo6] > > > > tee_receiver[lo6]: b.b.b.b:2001 > > tee_transparent[lo6]: true > > > > Small explanation for above - flows from Juniper are replicated to ports > > above (5000 and 6000) and from them I send them to pmacct (b.b.b.b) - for > > lo5 I change IP address for IP from LS (c.c.c.c) and for lo6 I leave it > > unchanged (IP from non-LS) > > now on pmacct machine I get two exactly the same flows but visible as > sent > > from two machines (to this point everything looks fine, I even checked > > packets send from Juniper to tee and then sent to pmacct (iptables > > counters) and it looks fine) > > > > The problem - when I enable only tee[lo5] I get proper traffic value on > > pmacct but when I enable tee[lo6] then traffic which I get in graphite > > instantly drop > > Here You can see how it looks like: http://postimg.org/image/zb9u1ywaj/ > > To 21:00 I get some traffic (enabled tee[lo5] and tee[lo6]) after 21:00 I > > disabled tee[lo6] and traffic instantly increased to the proper value - > > after 22:00 enabled tee[lo6] again > > > > The problem is exactly the same if I enable/disable tee[lo5] - then on > > tee[lo6] traffic value increase or deacrease > > > > I'm sitting on this second days and no idea where to search - nfacctd > > config file on pmacct machine should be ok - beacause it's working for > > others flows which I get from other routers > > > > This is screen from today: http://postimg.org/image/6qgd4sztj/ - after > > 16:00 I enabled one of tee > > In pmacct logs there are no errors - I even enabled debug for one of > > plugins: > > May 07 16:43:01 DEBUG ( DATA1/mysql ): 975 VALUES statements sent to the > > MySQL server. > > May 07 16:43:01 INFO ( DATA1/mysql ): *** Purging cache - END (PID: 2502, > > QN: 975/975, ET: 0) *** > > Only when I get data from sql - there is a big difference between 15:54 > and > > 16:08 > > > > Anyone have any idea where to search ? > > > > Best regards > > Adam Bogdan > > > _______________________________________________ > > pmacct-discussion mailing list > > http://www.pmacct.net/#mailinglists > > > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists >
_______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
