21.09.2019

Juniper: handling jFlow/IPFIX export issues

During jFlow configuration with Juniper MX you may notice issues with flow duration. Despite of configured active/inactive flow timeouts (recommended value 60) Juniper MX may ignore it and generate very long flows.

From FastNetMon perspective you may notice this by inaccurate traffic data and big amount of extremely long flows:

Please use this command to show flow duration distribution for all flows processed by FastNetMon:

sudo fcli show system_counters 

Output from affected device may look like (all sections “less_90_seconds” and “less_180_seconds” and “exceed_180_seconds” should be zero in case of correct router behavior):

netflow_v9_duration_less_15_seconds 139125111
netflow_v9_duration_less_30_seconds 2741052
netflow_v9_duration_less_60_seconds 3157836
netflow_v9_duration_less_90_seconds 2004936
netflow_v9_duration_less_180_seconds 2978726
netflow_v9_duraion_exceed_180_seconds 15516371

From Juniper router perspective you may confirm issue using this command:

start shell pfe network fpcX
show jnh 0 inline-services flow-table-info

Example output:

 Configured IPv4 Flow Table in Unit: 0
 Configured IPv6 Flow Table in Unit: 0
 Configured VPLS Flow Table in Unit: 0
 Programmed IPv4 Flow Table Size   : 3932160
 Programmed IPv6 Flow Table Size   : 1024
 Programmed VPLS Flow Table Size   : 1024
 IPv6 Extended Attribute   : 0

 IPv4 Ring Buffer Size   : 262144
 IPv6 Ring Buffer Size   : 262144
 VPLS Ring Buffer Size   : 262144

According to official documentation 3932160 means that router uses default flow table size: “Default: 3,932,160 (3840K)—Prior to Junos OS Release 16.1R1 and 15.1F2″.

This default value “3932160” means that ipv4-flow-table-size set to 15 and this option may cause extremely long flows during export process.

Juniper allows setting ipv4-flow-table-size up to 245. Each entry means 256K flows in table. But we do not recommend using maximum value as it may overload router.

Instead, we suggest using slow process to increase it: 15, 20, 30, 40, 50 until number of 90, 180, 180+ second flows disappears from FastNetMon completely.

NB! Changes mentioned in next section may cause immediate card / router reboot (prior 16.1R1 and 15.1F2). Please be very careful!

You can apply flow-table-size this way:

set chassis fpc inline-services flow-table-size ipv4-flow-table-size 30

After applying changes you may see that values in sections “Configured IPv4 Flow Table in Unit” and “Programmed IPv4 Flow Table Size” (can by calculated from “IPv4 Flow Table in Unit” using multiplication by 256k) do not match each other. In this case you have to reboot your router.