Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
Every template timeout interval (30 mins by default, configurable) we're sending the template IDs to the collector (1 for each record configured). Collector is supposed to cache this information to be able to understand later how to parse the data FlowSet packet. For that purpose the data FlowSet packet carries the FlowSet ID, which must be equal to the ID of one of the previously sent templates. The issue here is that the FlowSet ID in the data flowset packets is not equal to any template ID that was sent before, which makes some collectors unable to parse the packet (making the NetFlow data unusable for them). This makes the collector (just as can be seen with Wireshark) fail to recognize the flow data. For example: 1. Every 5 minutes (as per config) we're advertising two templates for each LC (customer has two records configured) in the Template flowset: Cisco NetFlow/IPFIX Version: 9 Count: 2 SysUptime: 3997843.264000000 seconds Timestamp: Jan 30, 2018 11:03:32.000000000 CET FlowSequence: 1856 SourceId: 5 FlowSet 1 [id=0] (Data Template): 257,258 FlowSet Id: Data Template (V9) (0) FlowSet Length: 116 Template (Id = 257, Count = 13) Template Id: 257 Field Count: 13 Field (1/13): IP_SRC_ADDR Field (2/13): IP_DST_ADDR Field (3/13): PROTOCOL Field (4/13): IP_TOS Field (5/13): L4_SRC_PORT Field (6/13): L4_DST_PORT Field (7/13): INPUT_SNMP Field (8/13): OUTPUT_SNMP Field (9/13): DIRECTION Field (10/13): TCP_FLAGS Field (11/13): BYTES Field (12/13): PKTS Field (13/13): IP_PROTOCOL_VERSION Template (Id = 258, Count = 13) 2. However, when we start to send actual data flowsets, we send them with FlowSet ID = 256 (and not 257 or 258 as we would expect): Cisco NetFlow/IPFIX Version: 9 Count: 49 SysUptime: 2352504.784000000 seconds Timestamp: Jan 30, 2018 11:03:43.000000000 CET FlowSequence: 415402 SourceId: 257 FlowSet 1 [id=256] FlowSet Id: (Data) (256) FlowSet Length: 1428 Data (1424 bytes), no template found [Expert Info (Warning/Malformed): Data (1424 bytes), no template found] [Data (1424 bytes), no template found] [Severity level: Warning] [Group: Malformed] This is true for most, but not all Data Flowset packets, i.e. some of them contain correct FlowSet ID. Packets from certain LCs (i.e. certain Source IDs) will have correct FlowSet ID, however packets from other LCs may have incorrect FlowSet ID.
- NetFlow v9 is configured - NX-OS 6.2(12) - N7K with F3 LCs
Use NetFlow v5 which doesn't depend on the templates (v5 has fixed packet format).