All Apps and Add-ons

Splunk Stream: Is there a workaround for this error "Decoding sFlow version 589829 is not supported yet"?

mmacdonald70
Explorer

I am trying to get Splunk Stream working with Flows from an ASA v9.6(2). I finally have it mostly working but now I'm seeing the error:

ERROR [140349472376576] (NetflowManager/sflowDecoder.cpp:34) stream.NetflowReceiver - sFlowDecoder::generateEvents Decoding sFlow version 589829 is not supported yet.

I assume that this means that my version isn't supported. Doesn't anybody know if there is a workaround for this? If not, is there a different app that might work?

vshcherbakov_sp
Splunk Employee
Splunk Employee

@mmacdonald70,

589829 doesn't look like a valid sFlow version (AFAIK only sFlow v5 exists as of now), so I'd guess the problem is in the data format. Are you by any chance sending some decoded/formatted sFlow? For example, some devices support formatting sFlow records as JSON, etc. Stream expects the "native" binary sFlow protocol.

Also, ASA is a Cisco device, and being such I'd expect it to generate netflow, not sFlow (they're binary different). You may want to change your Stream configuration to receive netflow (ie netflowReceiver.0.decoder = netflow)

mmacdonald70
Explorer

Looks like you are right, it looks like this isn't sflow at all. After capturing the traffic, opening it in wireshark and decoding it as Netflow, it loaded. And told me it was Cisco NetFlow/IPFIX version 9. Unfortunately now, when I change the input to Netflow, I'm getting these errors:

2017-01-19 15:46:39 ERROR [140342200358656] (NetflowManager/NetflowDecoder.cpp:1112) stream.NetflowReceiver - NetFlowDecoder::decodeFlow Unable to decode flow set data. No template definition received with id 256 from source 0 . Dropping flow data set of size 100
2017-01-19 15:46:39 ERROR [140342200358656] (NetflowManager/NetflowDecoder.cpp:1112) stream.NetflowReceiver - NetFlowDecoder::decodeFlow Unable to decode flow set data. No template definition received with id 263 from source 0 . Dropping flow data set of size 172
2017-01-19 15:46:39 ERROR [140342200358656] (NetflowManager/NetflowDecoder.cpp:1112) stream.NetflowReceiver - NetFlowDecoder::decodeFlow Unable to decode flow set data. No template definition received with id 256 from source 0 . Dropping flow data set of size 100
2017-01-19 15:46:39 ERROR [140342200358656] (NetflowManager/NetflowDecoder.cpp:1112) stream.NetflowReceiver - NetFlowDecoder::decodeFlow Unable to decode flow set data. No template definition received with id 263 from source 0 . Dropping flow data set of size 172
2017-01-19 15:46:39 ERROR [140342200358656] (NetflowManager/NetflowDecoder.cpp:1112) stream.NetflowReceiver - NetFlowDecoder::decodeFlow Unable to decode flow set data. No template definition received with id 256 from source 0 . Dropping flow data set of size 100
2017-01-19 15:46:39 ERROR [140342200358656] (NetflowManager/NetflowDecoder.cpp:1112) stream.NetflowReceiver - NetFlowDecoder::decodeFlow Unable to decode flow set data. No template definition received with id 263 from source 0 . Dropping flow data set of size 88
2017-01-19 15:46:42 ERROR [140342200358656] (NetflowManager/NetflowDecoder.cpp:1112) stream.NetflowReceiver - NetFlowDecoder::decodeFlow Unable to decode flow set data. No template definition received with id 263 from source 0 . Dropping flow data set of size 260
2017-01-19 15:46:42 ERROR [140342200358656] (NetflowManager/NetflowDecoder.cpp:1112) stream.NetflowReceiver - NetFlowDecoder::decodeFlow Unable to decode flow set data. No template definition received with id 256 from source 0 . Dropping flow data set of size 100
2017-01-19 15:46:42 ERROR [140342200358656] (NetflowManager/NetflowDecoder.cpp:1112) stream.NetflowReceiver - NetFlowDecoder::decodeFlow Unable to decode flow set data. No template definition received with id 260 from source 0 . Dropping flow data set of size 68
2017-01-19 15:46:42 ERROR [140342200358656] (NetflowManager/NetflowDecoder.cpp:1112) stream.NetflowReceiver - NetFlowDecoder::decodeFlow Unable to decode flow set data. No template definition received with id 263 from source 0 . Dropping flow data set of size 776
2017-01-19 15:46:42 ERROR [140342200358656] (NetflowManager/NetflowDecoder.cpp:1112) stream.NetflowReceiver - NetFlowDecoder::decodeFlow Unable to decode flow set data. No template definition received with id 256 from source 0 . Dropping flow data set of size 100
2017-01-19 15:46:42 ERROR [140342200358656] (NetflowManager/NetflowDecoder.cpp:1112) stream.NetflowReceiver - NetFlowDecoder::decodeFlow Unable to decode flow set data. No template definition received with id 263 from source 0 . Dropping flow data set of size 88
2017-01-19 15:46:45 ERROR [140342200358656] (NetflowManager/NetflowDecoder.cpp:1112) stream.NetflowReceiver - NetFlowDecoder::decodeFlow Unable to decode flow set data. No template definition received with id 263 from source 0 . Dropping flow data set of size 604
2017-01-19 15:46:45 ERROR [140342200358656] (NetflowManager/NetflowDecoder.cpp:1112) stream.NetflowReceiver - NetFlowDecoder::decodeFlow Unable to decode flow set data. No template definition received with id 256 from source 0 . Dropping flow data set of size 100
2017-01-19 15:46:45 ERROR [140342200358656] (NetflowManager/NetflowDecoder.cpp:1112) stream.NetflowReceiver - NetFlowDecoder::decodeFlow Unable to decode flow set data. No template definition received with id 263 from source 0 . Dropping flow data set of size 172
2017-01-19 15:46:45 ERROR [140342200358656] (NetflowManager/NetflowDecoder.cpp:1112) stream.NetflowReceiver - NetFlowDecoder::decodeFlow Unable to decode flow set data. No template definition received with id 261 from source 0 . Dropping flow data set of size 56
0 Karma

vshcherbakov_sp
Splunk Employee
Splunk Employee

It may be a transient startup condition. Netflow v9 uses templates that tell the receiver how to interpret each particular data record. The generating device sends these templates every so often, so once Stream receives it should be able to parse the data and these errors should stop. You may tune up the template broadcasting frequency on the ASA (assuming it's configurable)

0 Karma

NetFlow_Logic
Contributor

Yes, ASA template timeout is configurable, and defaults to 30 minutes. It could be changed with the following command:

flow-export template timeout-rate "minutes"

0 Karma

vshcherbakov_sp
Splunk Employee
Splunk Employee

I just checked the ASA docs and seems like it sends (exports) netflow templates every 30 minutes by default.

You may want to change it to a shorter value with this command:

flow-export template timeout-rate <minutes>

http://www.cisco.com/c/en/us/td/docs/security/asa/special/netflow/guide/asa_netflow.html

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...