Guest

Preview Tool

Cisco Bug: CSCuw38090 - No flow records sent when collect app http host/url and ssl added to FNF

Last Modified

Jun 27, 2018

Products (1)

  • Cisco 3G Wireless WAN

Known Affected Releases

15.5(2)T

Description (partial)

Symptom:
ISR 881 running 15.5(3)M
Add the following lines into the config to enable the addition of collecting http and ssl information within the standard flow values:

!remove the flow mon from the existing interface so we can modify the flow record
conf t
int vlan 200
no ip flow mon FLOWMON in
no ip flow mon FLOWMON out
no flow mon FLOWMON

conf t
flow record FLOWREC
collect app http host
collect app http url
collect app ssl common

!reapply the flow record and flow mon
conf t
flow mon FLOWMON
rec FLOWREC
exp FLOWEXP
int vlan 200
ip flow mon FLOWMON in
ip flow mon FLOWMON out

Seeing values within the flow cache 'show flow mon FLOWMON cache format csv' but not seeing flow records arrive on the collector and  'show flow exp FLOWEXP template' does not show the standard flow record in the output.

c881#sho flow mon FLOWMON cache format csv
IPV4 SRC ADDR,IPV4 DST ADDR,TRNS SRC PORT,TRNS DST PORT,INTF INPUT,FLOW DIRN,IP DSCP,IP PROT,APP NAME,ip fwd status,tcp window size,tcp flags,intf output,bytes,pkts,time first,time last,http url,http host,ssl common-name,ip ttl
192.168.1.69,98.136.223.38,63187,80,Vl200,Input,0x00,6,port http,Forward,256,0x18,Fa4,8927,36,22:13:18.654,22:13:59.062,/embed/YW/a5afcb2c3ae27ac079a7f9dde18ffcaf?id=f40564523b23,np.lexity.com,,127
74.121.133.4,192.168.1.69,443,63188,Fa4,Output,0x08,6,layer7 ssl,Forward,35196,0x18,Vl200,5971,20,22:13:19.878,22:13:59.122,,,sofa.bankofamerica.com,243
192.168.1.69,171.161.199.200,63196,443,Vl200,Input,0x00,6,NBAR bofasecssl,Forward,64620,0x19,Fa4,50152,77,22:13:40.926,22:13:56.002,,,,127
192.243.232.8,192.168.1.69,443,63200,Fa4,Output,0x08,6,layer7 ssl,Forward,15544,0x1D,Vl200,4852,9,22:13:49.138,22:14:00.746,,,*.tt.omtrdc.net,53
192.168.1.69,192.168.1.255,138,138,Vl200,Input,0x00,17,layer7 unknown,Consume,0,0x00,Null,233,1,22:13:53.374,22:13:53.374,,,,127


Also not sure if it's related but 'show flow mon FLOWMON internal' shows U against the relevant nonkey fields?! Not sure if this is related to the problem.

c881#sho flow mon FLOWMON internal
Monitor ID: 2919315817
..
Flow Definition:
  Users:        4100
  Master:       FLOWREC
  Template:     fnf_cache_standard
  Key Fields:
    Name: ipv4 source address (offset: 24 )
    Name: ipv4 destination address (offset: 28 )
    Name: transport source-port (offset: 40 )
    Name: transport destination-port (offset: 42 )
    Name: interface input (offset: 32 )
    Name: flow direction (offset: 44 )
    Name: ip dscp (offset: 45 )
    Name: ip protocol (offset: 46 )
    Name: application id (offset: 36 )
  Non Key Fields:
    Name: routing forwarding-status (192 / 0xC0) (offset: 51 )
    Name: transport tcp window-size (offset: 66 )
    Name: transport tcp flags (255 / 0xFF) (offset: 52 )
    Name: interface output (offset: 68 )
    Name: counter bytes (offset: 72 )
    Name: counter packets (offset: 76 )
    Name: timestamp sys-uptime first (offset: 80 )
    Name: timestamp sys-uptime last (offset: 84 )
    Name: application http url (offset: 53 )
    Name: application http host (offset: 57 )
    Name: application ssl common-name (offset: 61 )
    Name: ip ttl (offset: 65 )
  Internal Fields:
    Name: misc reserved (24 / 0x18) (offset: 0  )
Log packet size distribution: OFF
...
Input program for layer 3 in FIRST feature point:
                                  SET_IP_TTL  offset: 65  size: 1   param: 0  
                                 SET_IP_PROT  offset: 46  size: 1   param: 0  
                                 SET_IP_DSCP  offset: 45  size: 1   param: 0  
                           SET_IPV4_DST_ADDR  offset: 28  size: 4   param: 0  
                           SET_IPV4_SRC_ADDR  offset: 24  size: 4   param: 0  
                                   GOTO_TRNS  offset: 0   size: 0   param: 0  
             SET_TCP_FLAGS_TRNS_SRC_DST_PORTG offset: 52  size: 1   param: 255
                           SET_TRNS_SRC_PORT  offset: 40  size: 2   param: 0  
                           SET_TRNS_DST_PORT  offset: 42  size: 2   param: 0  
                         SET_TCP_WINDOW_SIZE  offset: 66  size: 2   param: 0  
                                      RETURN  offset: 0   size: 0   param: 0  
                              SET_INTF_INPUT  offset: 32  size: 4   param: 0  
                               SET_FLOW_DIRN  offset: 44  size: 1   param: 0  
                                SET_APP_NAME  offset: 36  size: 4   param: 0  
                    SET_REGISTER_FIELD_INPUT  offset: 53  size: 4   param: 0  U
                    SET_REGISTER_FIELD_INPUT  offset: 57  size: 4   param: 0  U
                    SET_REGISTER_FIELD_INPUT  offset: 61  size: 4   param: 0  U
                                      LOOKUP  offset: 0   size: 0   param: 0  
                                        STOP  offset: 0   size: 0   param: 0  
Input program for layer 3 in LAST feature point:
                                      RETURN  offset: 0   size: 0   param: 0  
                               CHECK_NEW_REC  offset: 0   size: 0   param: 7  
                           SET_IP_FWD_STATUS  offset: 51  size: 1   param: 192
                             SET_INTF_OUTPUT  offset: 68  size: 4   param: 0  
                              SET_TIME_FIRST  offset: 80  size: 4   param: 0  
                          SET_CNT_PKTS_BYTESG offset: 76  size: 4   param: 0  
                               SET_CNT_BYTES  offset: 72  size: 4   param: 0  
                               SET_TIME_LAST  offset: 84  size: 4   param: 0  
                                  ULOCK_STOP  offset: 0   size: 0   param: 0  
             UPDATE_TIME_LAST_CNT_PKTS_BYTESG offset: 84  size: 4   param: 0  
                             UPDATE_CNT_PKTS  offset: 76  size: 4   param: 0  
                            UPDATE_CNT_BYTES  offset: 72  size: 4   param: 0  
                   UPDATE_FROM_REC_TCP_FLAGS  offset: 52  size: 1   param: 255
        UPDATE_FROM_REC_REGISTER_FIELD_INPUT  offset: 53  size: 4   param: 0  U
        UPDATE_FROM_REC_REGISTER_FIELD_INPUT  offset: 57  size: 4   param: 0  U
        UPDATE_FROM_REC_REGISTER_FIELD_INPUT  offset: 61  size: 4   param: 0  U
                             FREE_ULOCK_STOP  offset: 0   size: 0   param: 0  
...
Output program for layer 3 in LAST feature point:
                                  SET_IP_TTL  offset: 65  size: 1   param: 0  
                                 SET_IP_PROT  offset: 46  size: 1   param: 0  
                                 SET_IP_DSCP  offset: 45  size: 1   param: 0  
                           SET_IPV4_DST_ADDR  offset: 28  size: 4   param: 0  
                           SET_IPV4_SRC_ADDR  offset: 24  size: 4   param: 0  
                                   GOTO_TRNS  offset: 0   size: 0   param: 0  
             SET_TCP_FLAGS_TRNS_SRC_DST_PORTG offset: 52  size: 1   param: 255
                           SET_TRNS_SRC_PORT  offset: 40  size: 2   param: 0  
                           SET_TRNS_DST_PORT  offset: 42  size: 2   param: 0  
                         SET_TCP_WINDOW_SIZE  offset: 66  size: 2   param: 0  
                                      RETURN  offset: 0   size: 0   param: 0  
                              SET_INTF_INPUT  offset: 32  size: 4   param: 0  
                               SET_FLOW_DIRN  offset: 44  size: 1   param: 0  
                                SET_APP_NAME  offset: 36  size: 4   param: 0  
                                      LOOKUP  offset: 0   size: 0   param: 10 
                           SET_IP_FWD_STATUS  offset: 51  size: 1   param: 192
                             SET_INTF_OUTPUT  offset: 68  size: 4   param: 0  
                              SET_TIME_FIRST  offset: 80  size: 4   param: 0  
                          SET_CNT_PKTS_BYTESG offset: 76  size: 4   param: 0  
                               SET_CNT_BYTES  offset: 72  size: 4   param: 0  
                               SET_TIME_LAST  offset: 84  size: 4   param: 0  
                   SET_REGISTER_FIELD_OUTPUT  offset: 53  size: 4   param: 0  U
                   SET_REGISTER_FIELD_OUTPUT  offset: 57  size: 4   param: 0  U
                   SET_REGISTER_FIELD_OUTPUT  offset: 61  size: 4   param: 0  U
                                  ULOCK_STOP  offset: 0   size: 0   param: 0  
                   UPDATE_FROM_REC_TCP_FLAGS  offset: 52  size: 1   param: 255
             UPDATE_TIME_LAST_CNT_PKTS_BYTESG offset: 84  size: 4   param: 0  
                             UPDATE_CNT_PKTS  offset: 76  size: 4   param: 0  
                            UPDATE_CNT_BYTES  offset: 72  size: 4   param: 0  
                UPDATE_REGISTER_FIELD_OUTPUT  offset: 53  size: 4   param: 0  U
                UPDATE_REGISTER_FIELD_OUTPUT  offset: 57  size: 4   param: 0  U
                UPDATE_REGISTER_FIELD_OUTPUT  offset: 61  size: 4   param: 0  U
                             FREE_ULOCK_STOP  offset: 0   size: 0   param: 0  
Function: fnf_drop_punt_input_feature         doing_input_feature            40
Function: fnf_drop_punt_input_feature         no_pak_store                  359
Function: fnf_shim_sub_app_data_get_extracted dpi_failed                 113204

Conditions:
removing the collect app http host, collect app http url and collect app ssl common-name entries from the flow record allows the flow records to the exported to the collector but I really need the additional nonkey values in my netflow records.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.