Guest

Preview Tool

Cisco Bug: CSCvi23924 - NetFlow v9: FlowSet ID doesn't match the previously sent template IDs in the Data FlowSet packets

Last Modified

Aug 13, 2019

Products (8)

  • Cisco Nexus 7000 Series Switches
  • Cisco Nexus 7000 10-Slot Switch
  • Cisco Nexus 7000 4-Slot Switch
  • Cisco Nexus 7700 6-Slot Switch
  • Cisco Nexus 7700 18-Slot Switch
  • Cisco Nexus 7000 18-Slot Switch
  • Cisco Nexus 7000 9-Slot Switch
  • Cisco Nexus 7700 10-Slot Switch

Known Affected Releases

6.2(12)

Description (partial)

Symptom:
Every template timeout interval (30 mins by default, configurable) we're sending the template IDs to the collector (1 for each record configured).
Collector is supposed to cache this information to be able to understand later how to parse the data FlowSet packet. For that purpose the data FlowSet packet carries the FlowSet ID, which must be equal to the ID of one of the previously sent templates.

The issue here is that the FlowSet ID in the data flowset packets is not equal to any template ID that was sent before, which makes some collectors unable to parse the packet (making the NetFlow data unusable for them).

This makes the collector (just as can be seen with Wireshark) fail to recognize the flow data.

For example:
1. Every 5 minutes (as per config) we're advertising two templates for each LC (customer has two records configured) in the Template flowset:
Cisco NetFlow/IPFIX
    Version: 9
    Count: 2
    SysUptime: 3997843.264000000 seconds
    Timestamp: Jan 30, 2018 11:03:32.000000000 CET
    FlowSequence: 1856
    SourceId: 5
    FlowSet 1 [id=0] (Data Template): 257,258
        FlowSet Id: Data Template (V9) (0)
        FlowSet Length: 116
       Template (Id = 257, Count = 13)
            Template Id: 257
            Field Count: 13
            Field (1/13): IP_SRC_ADDR
            Field (2/13): IP_DST_ADDR
            Field (3/13): PROTOCOL
            Field (4/13): IP_TOS
            Field (5/13): L4_SRC_PORT
            Field (6/13): L4_DST_PORT
            Field (7/13): INPUT_SNMP
            Field (8/13): OUTPUT_SNMP
            Field (9/13): DIRECTION
            Field (10/13): TCP_FLAGS
            Field (11/13): BYTES
            Field (12/13): PKTS
            Field (13/13): IP_PROTOCOL_VERSION
        Template (Id = 258, Count = 13)
      <...>

2. However, when we start to send actual data flowsets, we send them with FlowSet ID = 256 (and not 257 or 258 as we would expect):
Cisco NetFlow/IPFIX
    Version: 9
    Count: 49
    SysUptime: 2352504.784000000 seconds
    Timestamp: Jan 30, 2018 11:03:43.000000000 CET
    FlowSequence: 415402
    SourceId: 257
    FlowSet 1 [id=256]
        FlowSet Id: (Data) (256)
        FlowSet Length: 1428
        Data (1424 bytes), no template found
            [Expert Info (Warning/Malformed): Data (1424 bytes), no template found]
                [Data (1424 bytes), no template found]
                [Severity level: Warning]
                [Group: Malformed]

This is true for most, but not all Data Flowset packets, i.e. some of them contain correct FlowSet ID.
Packets from certain LCs (i.e. certain Source IDs) will have correct FlowSet ID, however packets from other LCs may have incorrect FlowSet ID.

Conditions:
- NetFlow v9 is configured
- NX-OS 6.2(12)
- N7K with F3 LCs
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.