I am facing a situation at live environment where a number of NetFlow-enabled routers' interfaces are being reported to only seeing incoming or outbound traffic, not both. At the same time most of the interfaces or properly reporting both directions of traffic. See the attached screenshots for examples.
I have double checked with the network team that the NetFlow settings are configured identically for these examples. DCRUM version in use is 12.4.11, NetFlow v5. Any ideas where to check next?
NetFlow v5 is an ingress only flow source, which means that all data is taken form the ingress cache on the source device. So in order to get a complete conversation you need to enable NetFlow on at least two interfaces, i.e. to catch the conversation coming into the device and then coming back into the device on say its WAN interface and then the return conversation when it comes back into the device on the LAN interface. That is of course a very easy example but of you have say a switch or a device with many interfaces, it is not always easy to know/predict which interface are associated with each other and so generally you would enable NetFlow on every interface. Now that of course comes at compute cost to the source device and so isn't always a recommended approach, so one option , if available is to configure/enable the source device ti use NetFlow v9. This differs form v5 in that it is enables both an ingress and egress flow source, meaning you can simply enable it on the relevant/selective interfaces to create these "matched" conversation flows.
If it is not possible to do this and you would like to stay with v5, then first thing is to check you have the corresponding interfaces enabled to create flow sets. If that has been done, then next check is to collect a trace file coming from one of the devices that is exhibiting the issues and we can take a look at the flow sets in the trace to make sure the data is being crated and included in teh output.