Skip to main content
Version: 7.0

Netflow v9/IPFIX Template Not Receieved

NetObserv Flow’s log indicates, Could not decode flowsets: template not yet received.

SYMPTOM

The NetObserv Flow's log indicates a message similar to the following:

error netflow9/netflow9.go:59        netflow v9: could not decode flowsets: template not yet received from 10.1.1.1 for session: 27856, observation domain: 33312, template ID 260

This may occur for both Netflow v9 and IPFIX.

PROBLEM

Unlike earlier versions of Netflow, Netflow v9 and IPFIX do not contain a static set of information elements (IEs). The vendor can decide which standard IEs they wish to send, as well as any vendor-defined IEs.

For the collector to be able to decode Netflow v9 and IPFIX records, it needs a description of the contents that the flow exporter will be sending. This is called a template. The collector will be unable to decode any flow record for which it has not yet received a template. As such, this error message indicates that is still waiting to receive a template from the device.

SOLUTION

In most cases, waiting will allow the issue to resolve itself. These messages will likely be seen when starting NetObserv Flow, but should stop appearing after the needed templates have been received. Devices will usually send templates every few minutes, although some may take 15-30 minutes. This interval is usually configurable, but it may vary by vendor and model.

If waiting does not solve the problem, subscription customers can contact support. Community users can reach out to us via the ElastiFlow Community Slack. To investigate we will need a PCAP of the incoming records from the device in question. The PCAP will need to be long enough to include templates.

The following tcpdump example will capture incoming packets to port 2055 from 192.0.2.11 and write them to a file named netflow.pcap.

sudo tcpdump "src 192.0.2.11 and udp port 2055" -w netflow.pcap -vvv