We have following hardware:
Cisco Firepower 1120 Threat Defense (78) Version 6.6.1 (Build 91)
Cisco Firepower 4110 Threat Defense (76) Version 6.4.0.4 (Build 34)
Netflow collector does not understood Netflow exported from FTDs above. Found with Wireshark that netflow v9 template records with flowset IDs 256-271 are not sent by devices but corresponding actual traffic flow records with flowset in range above are exported to collector. Only template records with flowset IDs 272-285 are sent. Similar role ASA 5585 is sending template records with both ranges, 256-271 and 272-285 and they are successfully parsed but FTDs does not.
But RFC 3954 "Cisco Systems Netflow Services Export Version 9" p. 7.3 claims:
3. On a regular basis, the Exporter MUST send all the Template
Records and Options Template Records to refresh the Collector.
Template IDs have a limited lifetime at the Collector and MUST be
periodically refreshed. Two approaches are taken to make sure
that Templates get refreshed at the Collector:
* Every N number of Export Packets.
* On a time basis, so every N number of minutes.
Both options MUST be configurable by the user on the Exporter.
When one of these expiry conditions is met, the Exporter MUST send
the Template FlowSet and Options Template.
So exported flow records are not understood by Netflow collector due to missing template. Did not found if such an behavior happend to anyone before and any solution available.
Did anyone have the same problem and is there any solution?