Re: Flexible Netflow error

hugoDelande09733 · ‎06-17-2021

Hello, I am encountering a problem with flexible netflow on a cisco Catalyst 3850. When I apply the flow monitor on an interface, where there is a 2960 switch stack behind, Netflow doesn't detect any traffic. Going into the logs, I notice this error:

%FMFP-3-OBJ_DWNLD_TO_DP_FAILED: Switch 1 R0/0: fman_fp_image: [FNF Object] type:IF_BIND name:ipv4_netflow_input-0 -goelastic_input-3564851318-0-1-28 fnf-id:2000030 real-id:30 info:ifh =28 mon-id:2000001 samp-id:0 dir:1 traffic:0 sub_traffic:0x0 efp_id:3 download to DP failed

My IOS version is 16.9.6.

I had already encountered this problem previously in version 16.6.6. Cisco had recommended that I upgrade to 16.9.6, however, no change.

On the bug search tool, I noticed that several people encountered this problem. However, there is no patch. Has anyone found a solution?

My Netflow configuration :

flow record goelastic_input
match ipv4 destination address
match ipv4 source address
match transport source-port
match transport destination-port
match ipv4 protocol
match ipv4 tos
match ipv4 ttl
match interface input
match flow direction
match datalink vlan input
collect counter bytes long
collect counter packets long
!
!
flow exporter exp_goelastic_input
destination xxx.xxx.xxx.xxx
source Loopback0
transport udp 2055
!
!
flow monitor ipv4_netflow_input
exporter exp_goelastic_input
cache timeout active 60
record goelastic_input

Thank's for your help

AdamF1 · ‎06-21-2021

I run Netflow fine on my 16.9.x switches.

on your record

add collect timestamp absolute first and last and collect interface output

for your exporter specify netflow v9.

I have 2 records on mine, one for input and one for output. I then apply ip flow monitor with both record names.

hugoDelande09733 · ‎06-22-2021

Hello @AdamF1,

I add on my record collect timestamp absolute first and last.

In my exporter, i specified netflow v9.

it didn't change anything.

It's really weird

marce1000 · ‎06-22-2021

- FYI : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvp98333

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

Giuseppe Larosa · ‎06-22-2021

Hello @hugoDelande09733 ,

the affected interface is stand alone or it is a member of a port channel ?

the bug mentioned by @marce1000 applies to switches that are running both IPv4 and IPv6 dual stack. Are you running also IPv6 ?

Finally, if you change the interface that connects to the C2960X stack does the problem presents also on the new interface ?

Hope to help

Giuseppe

AdamF1 · ‎06-22-2021

That bug also states its resolved in the version he is running ( 16.9.6).

hugoDelande09733 · ‎06-22-2021

Hello @Giuseppe Larosa, thank's for your help.

The bug is really strange, netflow manages to collect packets on the TenGigabitEthernet1 / 0 / 1-19 interfaces, but from port number 20, nothing is collected anymore (I noticed it by applying the flow monitor on only on these interfaces). In addition, as soon as the flow monitor is applied, the error appears in the logs. This is not the case with the other interfaces.

The common point between these interfaces is that the number 19-20 and 22-24 are in etherchannel, but not the 23, and it also does not work, whereas it is only a trunk port.

I test Netflow on another 3850, and no problem, with the same configuration and the same IOS version.

If you have an idea...

And I only use IPV4

Unfortunately, I cannot change the interface of the C2960X stack, they are in use in the company.

Giuseppe Larosa · ‎06-22-2021

Hello @hugoDelande09733 ,

post show sdm prefer of both switches C3850 and check if they are different.

this looks like to be a lack of resources in TCAM and the only possible difference could be caused by a different SDM template in use.

Hope to help

Giuseppe

hugoDelande09733 · ‎06-23-2021

Hi @Giuseppe Larosa ,

the values are the same

sh sdm prefer for switch 1 (the one where there is a problem) :

This is the Advanced template.
Number of VLANs: 4094
Unicast MAC addresses: 32768
Overflow Unicast MAC addresses: 512
L2 Multicast entries: 4096
Overflow L2 Multicast entries: 512
L3 Multicast entries: 4096
Overflow L3 Multicast entries: 512
Directly connected routes: 16384
Indirect routes: 7168
STP Instances: 4096
Security Access Control Entries: 3072
QoS Access Control Entries: 2560
Policy Based Routing ACEs: 1024
Netflow ACEs: 768
Flow SPAN ACEs: 512
Tunnels: 256
LISP Instance Mapping Entries: 256
Control Plane Entries: 512
Input Netflow flows: 8192
Output Netflow flows: 16384
SGT/DGT (or) MPLS VPN entries: 4096
SGT/DGT (or) MPLS VPN Overflow entries: 512
Wired clients: 2048
MACSec SPD Entries: 256
MPLS L3 VPN VRF: 127
MPLS Labels: 2048
MPLS L3 VPN Routes VRF Mode: 7168
MPLS L3 VPN Routes Prefix Mode: 3072
MVPN MDT Tunnels: 256
L2 VPN EOMPLS Attachment Circuit: 256
MAX VPLS Bridge Domains : 64
MAX VPLS Peers Per Bridge Domain: 8
MAX VPLS/VPWS Pseudowires : 256
These numbers are typical for L2 and IPv4 features.
Some features such as IPv6, use up double the entry size;
so only half as many entries can be created.
* values can be modified by sdm cli.

sh sdm prefer for switch 2 (the one where it's ok) :

Showing SDM Template Info

This is the Advanced template.
Number of VLANs: 4094
Unicast MAC addresses: 32768
Overflow Unicast MAC addresses: 512
L2 Multicast entries: 4096
Overflow L2 Multicast entries: 512
L3 Multicast entries: 4096
Overflow L3 Multicast entries: 512
Directly connected routes: 16384
Indirect routes: 7168
STP Instances: 4096
Security Access Control Entries: 3072
QoS Access Control Entries: 2560
Policy Based Routing ACEs: 1024
Netflow ACEs: 768
Flow SPAN ACEs: 512
Tunnels: 256
LISP Instance Mapping Entries: 256
Control Plane Entries: 512
Input Netflow flows: 8192
Output Netflow flows: 16384
SGT/DGT (or) MPLS VPN entries: 4096
SGT/DGT (or) MPLS VPN Overflow entries: 512
Wired clients: 2048
MACSec SPD Entries: 256
MPLS L3 VPN VRF: 127
MPLS Labels: 2048
MPLS L3 VPN Routes VRF Mode: 7168
MPLS L3 VPN Routes Prefix Mode: 3072
MVPN MDT Tunnels: 256
L2 VPN EOMPLS Attachment Circuit: 256
MAX VPLS Bridge Domains : 64
MAX VPLS Peers Per Bridge Domain: 8
MAX VPLS/VPWS Pseudowires : 256
These numbers are typical for L2 and IPv4 features.
Some features such as IPv6, use up double the entry size;
so only half as many entries can be created.
* values can be modified by sdm cli.

hugoDelande09733 · ‎06-23-2021

Hi Giuseppe,

I was able to reboot the 3850 overnight.

Then, I configured netflow, then at first it seemed to work. Interfaces on which no traffic was detected, netflow detected traffic. However, by applying the flow monitor on all the ports and after several minutes, no traffic was detected on the ports where it was a problem. However, the error is no longer present in the logs ...

It is incomprehensible.

it must come from memory ... Ideas ?