BugZero | Cisco BugID CSCvx15864 - ETA+AVC: After active timer expiry, multiple FNF e...

Loading...

Operational Defect Database

A free repository of operational (non-security) bugs centralized through custom integrations with leading IT vendors.

Product

Enterprise platform
Bug Scrub Advisor
Operational Risk Scoring
Vendor Integrations

Company

Plans
Value Guide
About
Contact us

Resources

Blog
ServiceNow App
Trust Center
Risk Management
NIST
DORA

Operational Defect Database

A free repository of operational (non-security) bugs centralized through custom integrations with leading IT vendors.

Product

Enterprise platform
Bug Scrub Advisor
Operational Risk Scoring
Vendor Integrations

Company

Plans
Value Guide
About
Contact us

Resources

Blog
ServiceNow App
Trust Center
Risk Management
NIST
DORA

©2025 BugZero. All Rights Reserved.

Privacy Policy Terms of Service

BugZero | Cisco BugID CSCvx15864 - ETA+AVC: After active timer expiry, multiple FNF e...

ODD
Cisco
CSCvx15864

Cisco - Defect ID: CSCvx15864

ETA+AVC: After active timer expiry, multiple FNF exports sent for same flow

ODD
Cisco
CSCvx15864

Cisco - Defect ID: CSCvx15864

ETA+AVC: After active timer expiry, multiple FNF exports sent for same flow

Last updated on April 21st, 2024

BugZero Risk Score
7.9 High

Overall: 7.9

Severity: 8.2

Lifecycle: 9.1

Popularity: 6.0

What is the BugZero Risk Score?

Cisco Integration

Learn more about where this data comes from

Cisco Integration

Bug Scrub Advisor

Streamline upgrades with automated vendor bug scrubs

Bug Scrub Advisor

BugZero Enterprise

Wish you caught this bug sooner? Get proactive today.

BugZero Enterprise

Bug Details

Views: 1

Description

Symptom

When ETA and AVC are configured together, multiple FNF exports are happening for the same flow after active timer expiry.

Conditions

1. Catalyst 9k 2. ETA + AVC is configured. 3. Running affected IOS-XE

Workaround

To fix the issue, we provided a logic which exports the fnf records only during active timeouts. Since, the flow is already present in the hardware table, while exporting the flow records, we are exporting the delta counters of packet and byte counters between active timeouts and we are updating the first seen time stamp of the flow to the last expired active timeout.

Further Problem Description

This issue is because of AVC not deleting the flows from Hardware flow table once active timer expiry happens. Whenever active timer expiry is happening for a flow, We should ideally be deleting the flow from hardware flow table. But, AVC and ETA together works in such a way that, flow gets deleted only when both the features want to delete the flow. Because of this limitation, same flow is always getting hit by active timeout incase of long lived flows. As that flow is still present in the hardware table, which is resulting in the continuous fnf flow exports.

Change history

2024-04-21 Added: 17.3.3

Relevant Products

Click on a version to see all relevant bugs

Affected versions:17.3.3

Fixed versions: 17.10.1, 17.10.1a, 17.10.1b, 17.11.1, 17.11.1a, 17.12.02a, 17.12.1, 17.12.1a, 17.12.1w, 17.12.1x, 17.12.2, 17.12.2a, 17.12.3, 17.13.1, 17.13.1a, 17.14.1, 17.3.4, 17.3.4a, 17.3.4b, 17.3.4c, 17.3.5, 17.3.5a, 17.3.5b, 17.3.6, 17.3.7, 17.3.8, 17.3.8a, 17.6.1, 17.6.1a, 17.6.1w, 17.6.1x, 17.6.1y, 17.6.1z, 17.6.1z1, 17.6.2, 17.6.3, 17.6.3a, 17.6.4, 17.6.5, 17.6.5a, 17.6.6, 17.6.6a, 17.6.7, 17.7.1, 17.7.1a, 17.7.1b, 17.7.2, 17.8.1, 17.8.1a, 17.9.1, 17.9.1a, 17.9.1w, 17.9.1x, 17.9.1x1, 17.9.1y, 17.9.1y1, 17.9.2, 17.9.2a, 17.9.3, 17.9.3a, 17.9.4, 17.9.4a, 17.9.5, 17.9.5a, 17.9.5b, Amsterdam-17.3.4, Bengaluru-17.6.1

Relevant Products

Click on a version to see all relevant bugs

Affected versions:17.3.3

Fixed versions: 17.10.1, 17.10.1a, 17.10.1b, 17.11.1, 17.11.1a, 17.12.02a, 17.12.1, 17.12.1a, 17.12.1w, 17.12.1x, 17.12.2, 17.12.2a, 17.12.3, 17.13.1, 17.13.1a, 17.14.1, 17.3.4, 17.3.4a, 17.3.4b, 17.3.4c, 17.3.5, 17.3.5a, 17.3.5b, 17.3.6, 17.3.7, 17.3.8, 17.3.8a, 17.6.1, 17.6.1a, 17.6.1w, 17.6.1x, 17.6.1y, 17.6.1z, 17.6.1z1, 17.6.2, 17.6.3, 17.6.3a, 17.6.4, 17.6.5, 17.6.5a, 17.6.6, 17.6.6a, 17.6.7, 17.7.1, 17.7.1a, 17.7.1b, 17.7.2, 17.8.1, 17.8.1a, 17.9.1, 17.9.1a, 17.9.1w, 17.9.1x, 17.9.1x1, 17.9.1y, 17.9.1y1, 17.9.2, 17.9.2a, 17.9.3, 17.9.3a, 17.9.4, 17.9.4a, 17.9.5, 17.9.5a, 17.9.5b, Amsterdam-17.3.4, Bengaluru-17.6.1

Top Cisco Defects

9.7Defect ID: CSCwa70008
Expired certs cause Security Intelligence updates to fail
9.7Defect ID: CSCwc94466
Cisco ASA/FTD Firepower 2100 SSL/TLS Denial of Service Vulnerability
9.7Defect ID: CSCun66310
Nexus 5596: System fails to boot after a power cycle
9.7Defect ID: CSCvq12070
Not able to establish more than 2 simultaneous ASDM sessions
9.7Defect ID: CSCvp36425
Cisco ASA & FTD Software Cryptographic TLS and SSL Driver Denial of Service Vulnerability

Ready to prevent the next vendor outage?

Links

Original Vendor Announcement

Cisco Integration

Learn more about where this data comes from

Cisco Integration

Bug Scrub Advisor

Streamline upgrades with automated vendor bug scrubs

Bug Scrub Advisor

BugZero Enterprise

Wish you caught this bug sooner? Get proactive today.

BugZero Enterprise