Juniper MX5 NetFlow Configuration
Recently while looking at my router’s NetFlow reporting, I came across an issue regarding the Juniper MX5 router’s NetFlow configuration. I had a customer recently with two Juniper MX5 routers; both running the same configuration, but one had newer firmware, Junos version 14.2R2.8. We found was both devices were actively exporting flows to the analyzer, but only one device was able to pull reports. When we tried running a report in our IPFIX and NetFlow Analyzer we were prompted with the ‘Select Template’ message, even though we had already received option templates and they were readily available. Juniper’s site offers additional details about configuring for your Juniper router.
Investigating Further:
When trouble shooting flow data, I start by taking a packet capture in order to provide additional contextual details as to what might be going on. Using a tool like Wireshark, I can collect each packet, allowing me to perform a Deep Packet Inspection (DPI). DPI not only gives me access to the elements being exported to my IPFIX and NetFlow Analyzer, but also will show me the non key fields not being exported as flow data. After taking a packet capture and investigating the situation, I found that both devices were exporting flows as well as option templates. The router with newer firmware, however, was exporting an additional element: flow direction. Normally, exporting direction details won’t cause an issue, but the packet capture showed the field as being exported as ‘Direction: Unknown (255)’. As you can see in the image below, we are exporting the expected fields such as source/destination IP, port, protocol, inbound interface, source port, destination port and octetDelta count. You’ll also see another element, ‘Direction’. This element is not exported from the other on-site MX5 running the older firmware.
Now that I knew where the issue layed, I was able to go back into our IPFIX and NetFlow Analyzer and look at a Flow View report to verify the flow direction element was the true problem. Right away I confirmed what we saw in the packet capture. In the image below you’ll see the flowDirection element reporting as NIT, or Not In Template:
The Workaround:
Currently the only supported workaround is to enable ingress and egress flows as well as report this issue to Juniper and request a permanent fix.
According to IANA IPFIX InformationElements registry RFC 7012, the default values for the element flowDirection will be 0x00: ingress flow and 0x01: egress flow. If a value other than 0x00 or 0x01 is exported, we should replace it with the default ingress value of 0x00. Requesting this change from Juniper will assist in making sure they’re RFC compliant as well as ensuring the validity in your reporting interface.
If you have any questions regarding your Juniper Device configuration, don’t hesitate to reach out to us in tech support.