Lukas955
commented
6 years ago Hi, I looked into the code and you are right that the forwarding plugin removes templates definitions that have been already sent. The purpose is to prevent template collisions by remapping Template IDs, if there are multiple flow sources (i.e. exporters connected to the collector) with the same Observation Domain ID (ODID).
However, all forwarded IPFIX Messages that consist of at least one Template definition (that hasn't been sent yet) are marked as "mandatory delivery". In other words, if a destination is busy and the plugin is not able to pass the message into a TCP socket (or store it into a temporary buffer for next time delivery), connection is closed to prevent sending malformed/unreadable messages. Moreover, the plugin sends only Data Sets (i.e. flow records) with known definitions of templates. As a result, only fully interpretable messages should be send to the destination.
Note: Closed connections are later reconnected and all known template definitions are send at the beginning of communication.
morph027
thorgrin
Hello, me again ;)
Found another little bugger in my test setup.
ipfixcol is forwarding to logstash via TCP. If there's too much load on logstash (TPC connection still alive), it somehow seems to drop/lost the templates or so (not sure) leading to messages not being processed (the whole logstash tcp receiving stack is bogus). Before ipfixcol as MITM it was working as the original sender we have is re-transmitting templates every x minutes even on TCP connections.
Does ipfixcol forward templates only when they are seen on a connection first? Or can we add something like the UDP resend setting for TCP also?