Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2321
Views
5
Helpful
3
Replies

Netflow problem help ?

Go to solution
trungfotech
Level 1
Level 1

‎08-13-2010 02:21 AM - edited ‎03-04-2019 09:24 AM

Dear all,

I have a Catalyst 4507-E with supervisor V-10GE. In this switch I have anable netflow service to manage flow on network. The functionality is embedded in the supervisor engine. I use open source "Flow Tool" for flow capture, in this tool I configured capture flow every 5 minutes. And then when I open a terminal console into Catalyst 4507, I have received this errors every 5 minutes:

" *Aug 12 20:58:06.089: %C4K_HWNETFLOWMAN-4-FLOWSLOSTERR: Netflow stats lost either due to hardware hash collisions or full hardware flow table. Stats lost for 24417 packets."

This is the output of show inventory command:

NAME: "Switch System", DESCR: "Cisco Systems, Inc. WS-C4507R-E 7 slot switch "
PID: WS-C4507R-E       , VID: V02  , SN: FOX1412GCTW

NAME: "Clock Module", DESCR: "Clock Module"
PID: WS-X4K-CLOCK-E    , VID: V01  , SN: JAE14180ERS

NAME: "Mux Buffer 1 ", DESCR: "Mux Buffers for Redundancy Logic"
PID: WS-X4590-E        , VID: V01  , SN: JAE14170GVA

NAME: "Mux Buffer 2 ", DESCR: "Mux Buffers for Redundancy Logic"
PID: WS-X4590-E        , VID: V01  , SN: JAE14170IHF

NAME: "Mux Buffer 5 ", DESCR: "Mux Buffers for Redundancy Logic"
PID: WS-X4590-E        , VID: V01  , SN: JAE14170DGE

NAME: "Mux Buffer 6 ", DESCR: "Mux Buffers for Redundancy Logic"
PID: WS-X4590-E        , VID: V01  , SN: JAE14170ASJ

NAME: "Mux Buffer 7 ", DESCR: "Mux Buffers for Redundancy Logic"
PID: WS-X4590-E        , VID: V01  , SN: JAE14170AV6

NAME: "Linecard(slot 1)", DESCR: "10/100/1000BaseT (RJ45) with 24 10/100/1000 baseT ports"
PID: WS-X4424-GB-RJ45  , VID: V06  , SN: JAE1418012E

NAME: "Linecard(slot 3)", DESCR: "Supervisor V-10GE with 2 10GE X2 ports, and 4 1000BaseX SFP ports"
PID: WS-X4516-10GE     , VID: V11  , SN: JAE14070LGD

NAME: "Linecard(slot 4)", DESCR: "Supervisor V-10GE with 2 10GE X2 ports, and 4 1000BaseX SFP ports"
PID: WS-X4516-10GE     , VID: V11  , SN: JAE14070LIG

NAME: "Linecard(slot 7)", DESCR: "10/100/1000BaseT (RJ45) with 24 10/100/1000 baseT ports"
PID: WS-X4424-GB-RJ45  , VID: V06  , SN: JAE14180132

NAME: "Fan", DESCR: "FanTray"
PID: WS-X4597-E        , VID: V02  , SN: FOX1412G4D3

NAME: "Power Supply 1", DESCR: "Power Supply ( AC 1400W )"
PID: PWR-C45-1400AC    , VID: V04  , SN: AZS14060RRP

NAME: "Power Supply 2", DESCR: "Power Supply ( AC 1400W )"
PID: PWR-C45-1400AC    , VID: V04  , SN: AZS14060RKA

So what is the problem and what I can do to resolve it ?

Thanks so much,

Trung.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎08-13-2010 03:27 AM

Hello Nguyen,

>> " *Aug 12 20:58:06.089: %C4K_HWNETFLOWMAN-4-FLOWSLOSTERR: Netflow stats lost either due to hardware hash collisions or full hardware flow table. Stats lost for 24417 packets."

the messages means that for the limited size of netflow cache on the device it has been not possible to collect data about all observed traffic flows.

Post a sh mls  to see the flowmask

what is the flow mask that you are using ?

Depending on interaction with other features changing the flow mask could be a solution.

Hope to help

Giuseppe

View solution in original post

Go to solution
u1kumar2002
Level 1
Level 1

‎08-13-2010 05:29 AM

Hi,

   Agreed to above answer.. This is a informational message that cache is full, then somenetflow statistics will be lost.

Error Message    C4K_HWNETFLOWMAN-4-FLOWSLOSTERR: Netflow stats lost due to full hw 
flow table.  [char] [dec] packets.

Explanation   This message indicates that if the cache is full, then some flow statistics will be lost. This message informs users about the total collected flow statistics. If the counter that tracks the lost statistics has overflowed, an accurate count of total lost flows is not available.

Recommended Action   This is an informational message only. No action is required.

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/12.1e/system/message/emsg.html#wp1404615

To overcome this issue you have to configure minimum flowmask,

The flow mask determines the granularity of the statistics gathered, which controls the size of the NetFlow table. The less-specific flow masks result in fewer entries in the NetFlow table and the most-specific flow masks result in the most NetFlow entries.

For example, if the flow mask is set to source-only, the NetFlow table contains only one entry per source IP address. The statistics for all flows from a given source are accumulated in the one entry. However, if the flow mask is configured as full, the NetFlow table contains one entry per full flow. Many entries may exist per source IP address, so the NetFlow table can become very large.

Setting the Minimum IP MLS Flow Mask

You can set the minimum specificity of the flow mask for the NetFlow table on the PFC. The actual flow mask may be more specific than the level configured in the mls flow ip command, if other configured features need a more specific flow mask (see the "Flow Mask Conflicts" section).

To set the minimum IP MLS flow mask, perform this task:

Command
Purpose

Router(config)# mls flow ip {source | destination | destination-source | interface-destination-source | full | interface-full}

Sets the minimum IP MLS flow mask for the protocol.

Router(config)# no mls flow ip

Reverts to the default IP MLS flow mask (null).


This example shows how to set the minimum IP MLS flow mask:

Router(config)# mls flow ip destination
Hope this information will help you....
Uttam
'

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎08-13-2010 03:27 AM

Hello Nguyen,

>> " *Aug 12 20:58:06.089: %C4K_HWNETFLOWMAN-4-FLOWSLOSTERR: Netflow stats lost either due to hardware hash collisions or full hardware flow table. Stats lost for 24417 packets."

the messages means that for the limited size of netflow cache on the device it has been not possible to collect data about all observed traffic flows.

Post a sh mls  to see the flowmask

what is the flow mask that you are using ?

Depending on interaction with other features changing the flow mask could be a solution.

Hope to help

Giuseppe

Go to solution
u1kumar2002
Level 1
Level 1

‎08-13-2010 05:29 AM

Hi,

   Agreed to above answer.. This is a informational message that cache is full, then somenetflow statistics will be lost.

Error Message    C4K_HWNETFLOWMAN-4-FLOWSLOSTERR: Netflow stats lost due to full hw 
flow table.  [char] [dec] packets.

Explanation   This message indicates that if the cache is full, then some flow statistics will be lost. This message informs users about the total collected flow statistics. If the counter that tracks the lost statistics has overflowed, an accurate count of total lost flows is not available.

Recommended Action   This is an informational message only. No action is required.

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/12.1e/system/message/emsg.html#wp1404615

To overcome this issue you have to configure minimum flowmask,

The flow mask determines the granularity of the statistics gathered, which controls the size of the NetFlow table. The less-specific flow masks result in fewer entries in the NetFlow table and the most-specific flow masks result in the most NetFlow entries.

For example, if the flow mask is set to source-only, the NetFlow table contains only one entry per source IP address. The statistics for all flows from a given source are accumulated in the one entry. However, if the flow mask is configured as full, the NetFlow table contains one entry per full flow. Many entries may exist per source IP address, so the NetFlow table can become very large.

Setting the Minimum IP MLS Flow Mask

You can set the minimum specificity of the flow mask for the NetFlow table on the PFC. The actual flow mask may be more specific than the level configured in the mls flow ip command, if other configured features need a more specific flow mask (see the "Flow Mask Conflicts" section).

To set the minimum IP MLS flow mask, perform this task:

Command
Purpose

Router(config)# mls flow ip {source | destination | destination-source | interface-destination-source | full | interface-full}

Sets the minimum IP MLS flow mask for the protocol.

Router(config)# no mls flow ip

Reverts to the default IP MLS flow mask (null).


This example shows how to set the minimum IP MLS flow mask:

Router(config)# mls flow ip destination
Hope this information will help you....
Uttam
'

0 Helpful

Go to solution
trungfotech
Level 1
Level 1
In response to u1kumar2002

‎08-15-2010 07:58 PM

Dear Uttam & Giuseppe,

Thank you very much about support. I have understanded the problem. In my DC, the flow is very large, I have used 70% bandwidth of 10Gig uplink connect to Internet. I have used flow mask apply to source IP only for capture flow from server in DC to Internet.

Sorry for late reply, I don't have Internet Access at the weekend.

Thanks so much again

Trung.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card