Re: Netflow v9 configuration on ISR 4431 CPU HIGH

robert.bozic19891 · ‎04-20-2020

Hi all,

I need help with netflow configuration on ISR 4431.(isr4400-universalk9.16.09.04.SPA.bin)

As netflow collector I'm using PRTG.

This is my configuration:

flow exporter xyz_upstream
description xyz-GigabitEthernet0/0/2
destination 10.96.150.230
source Port-channel1.150
transport udp 10000
template data timeout 30

flow monitor xyz_upstream_monitor
exporter xyz_upstream
cache timeout active 30
record netflow ipv4 original-input

sampler sampler-1of1000
mode random 1 out-of 1000

interface Port-channel1.150
description netflow_source_interface
encapsulation dot1Q 150
ip address 10.96.150.29 255.255.254.0
arp timeout 5

PRTG has netflow v9 sensor configured on IP 10.96.150.230.

I was trying to change few parameters (changing source IP, changing destination IP) in configuration, but every time when I execute last command ip flow monitor xyz_upstream_monitor sampler sampler-1of1000 input on interface gig0/0/2 CPU of router gets really high.

#show processes cpu history

111111111111111111111111111111111111111111111111111111111111
000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000
100 **********************************************************
90 **********************************************************
80 **********************************************************
70 **********************************************************
60 **********************************************************
50 **********************************************************
40 **********************************************************
30 **********************************************************
20 **********************************************************
10 **********************************************************
0....5....1....1....2....2....3....3....4....4....5....5....6
0 5 0 5 0 5 0 5 0 5 0
CPU% per second (last 60 seconds)

Because of this behavior I'm always turning off netflow (no ip flow monitor...in interface conf)

I'm really not sure is this normal behavior, know that netflow affect CPU, memory and bandwidth, but on this router on interface gig0/0/2 is about 3Mb of traffic, and I'm using sampler 1of1000, so that shouldn't impact CPU that much but it still does.

Please give me advice about this case.

Thanks.

Robert

ngkin2010 · ‎04-20-2020

Hi,

I have read some community posts and documents. People saying that flexible netflow will cause CPU problem, which might be a BUG (e.g. CSCtx50771). Some say firmware upgrade would help, but release note of IOS-XE 16.9.x didn't mentioned this problem.

As a workaround, and if you only interested for IPv4 traffic just fall back to use "ip flow ingress/egress" instead of "ip flow monitor".

robert.bozic19891 · ‎04-29-2020

On this platform it is not possible to use "ip flow ingress/egress" only ip flow monitor.

This are processes which kills routers CPU when netflow is enabled on interface:

CPU utilization for five seconds: 100%/0%; one minute: 22%; five minutes: 16%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
581 64476 2448 26338 48.24% 7.32% 4.41% 866 SSH Process
584 4992 104 48000 48.24% 7.31% 1.56% 0 ASN and BGP-NH (
206 18020684 12366505 1457 1.28% 1.19% 1.21% 0 IP ARP Adjacency
573 11939249 39263061 304 0.48% 0.15% 0.13% 0 BGP Router

CPU utilization for five seconds: 100%/0%; one minute: 75%; five minutes: 33%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
581 106428 3322 32037 94.58% 44.66% 15.58% 866 SSH Process
386 129740763 2761415 46983 3.21% 2.34% 2.17% 0 BGP Scanner
206 18021506 12366630 1457 1.20% 1.17% 1.19% 0 IP ARP Adjacency
15 1946747 7008073 277 0.16% 0.13% 0.14% 0 ARP Background