Hi all,

We're currently testing NFA in a simple setup.

We have a linux router configured with two interfaces: eth0 & eth1

eth0 (ifindex2) is the external interface providing internet access to a local lan connected to eth1 (ifindex 11).

eth0 performs  SNAT (masquerade) on all outgoing connections coming from eth1. (and DNAT the other way around)

The setup looks like this:

Internet - eth0 - eth1 - local lan

We've played with several netflow/sflow agents: "fprobe", "fprobe-ulog", "softflowd" and "sflsp" (InMon sflow agent).

We had mixed results with traffic directions: or it would show everything in "IN" or everything in "OUT", or it would show both directions switched, that means "IN" traffic reported has "OUT" and "OUT" reported has "IN". This with either "fprobe", "softflowd" and "sflsp".

We tried various combinations of interface indexes and filters (has suggested by fprobe man page) but nothing worked.

All this with "fprobe", "softflowd" and "sflsp".

With "fprobe-ulog" we are able to get traffic directions just right for the external interface "eth0".

However, for the internal interface "eth1" traffic directions are switched ("IN" is out and "OUT" is in).

We've setup this same environment in another server and all happens exactly the same.

We're running out of ideas with this.

Can someone suggest a configuration for the netflow/sflow agents or provide some insight on what might be happening?

Linux: Debian Sid

NFA Version : 7600

Agents: latest versions of all of them.

Thanks.