[c-nsp] 6500 NDE aging "prematurely"
Phil Mayers
p.mayers at imperial.ac.uk
Wed Jun 4 07:53:19 EDT 2008
All,
We use nfdump/nfsen to gather our flows. The "nfcap" daemon writes the
flows to 5-minute-window files, the filename being the *start* of the
5-minute window.
If I look at e.g. nfcapd.200806041235 I see the following distribution
of flow *end* times:
732 2008-06-04 12:29
16492 2008-06-04 12:30
19769 2008-06-04 12:31
22704 2008-06-04 12:32
21701 2008-06-04 12:33
91460 2008-06-04 12:34
148540 2008-06-04 12:35
153881 2008-06-04 12:36
177542 2008-06-04 12:37
184133 2008-06-04 12:38
143340 2008-06-04 12:39
Given that we are running with the default aging parameters:
enable timeout packet threshold
------ ------- ----------------
normal aging true 300 N/A
fast aging false 32 100
long aging true 1920 N/A
...I'm puzzled; surely during the window 12:35:00 -> 12:39:59 we should
only ever receive flows with end time up to 12:35:00 (plus or minus a
few tens of seconds, depending on the aging)
Why is the router exporting flows which have been inactive for "only" ~1
minute?
The box isn't busy with regards netflow (considering we have fast aging
disabled and lot of 1-packet flows) so I don't think that's the cause.
TCAM utilization: Module Created Failed %Used
1 72227 0 55%
2 65312 0 49%
5 75 0 0%
6 70 0 0%
8 71824 0 54%
9 37572 0 28%
ICAM utilization: Module Created Failed %Used
1 1 0 0%
2 3 0 2%
5 0 0 0%
6 0 0 0%
8 4 0 3%
9 0 0 0%
Flowmasks: Mask# Type Features
IPv4: 0 reserved none
IPv4: 1 Intf FulFM_GUARDIAN
IPv4: 2 unused none
IPv4: 3 reserved none
IPv6: 0 reserved none
IPv6: 1 unused none
IPv6: 2 unused none
IPv6: 3 reserved none
More information about the cisco-nsp
mailing list