Cisco Wireless LAN Controller (WLC) does not show data in NFA

Document ID : KB000036429
Last Modified Date : 14/02/2018
Show Technical Document Details

Problem:  

The Cisco Wireless LAN Controller is discovered by NFA and the interfaces are shown under Administration-->Enable Interfaces.  But the "Last Flow" column says "Never" and no data is reported in NFA.  

Cause:

The WLC software exports a NetFlow template which does not include all of the necessary fields for monitoring by NFA.  

The Required fields for NFA are as follows:

     1 - IN_BYTES or 85 - IN_PERMANENT_BYTES (NFA Only)       
     4 - PROTOCOL 
     7 - L4_SRC_PORT
     8 - IPV4_SRC_ADDR
     10 - INPUT_SNMP
     11 - L4_DST_PORT
     12 - IPV4_DST_ADDR
     14 - OUTPUT_SNMP

A packet capture shows that some fields are identified as "Unknown":

template.jpg

The WLC software does not provide a way to modify the template to include the necessary fields. 

 

Resolution:

Cisco documentation for the 8.2 release of the WLC software states that certain WLC models now support the export of an "enhanced" template which is compatible with v9 NetFlow and third party collectors.  The section in the 8.2 guide on Configuring NetFlow states:

"Currently, the enhanced template is supported on specific models, such as Cisco 5520, Cisco 8510, and Cisco 8540 WLCs."

If you are using one of the models which supports the enhanced template and you upgrade to the 8.2 version of the Cisco software, you should now be able to successfully monitor the device with NFA.  

 

 

Additional Information: 

Cisco release notes for version 8.2: http://www.cisco.com/c/en/us/td/docs/wireless/controller/release/notes/crn82.html#pgfId-1401051

TEC597610 - How to determine if a Netflow enabled device is sending the correct fields and data using Wireshark.