cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
930
Views
0
Helpful
8
Replies

ASA 8.2 NSEL netflow

ryancolson
Level 1
Level 1

I recently updated to ASA code version 8.2, and am trying ti find a utility that can read/interperate the NSEL output, and hopefully give some bandwidth stats. I ahve tried orion, scrutanizer, and advantnet. the first two didnt report anything, and adventnet only reported some IP address, but did not recognize the interface names or give any data bandwidths. It just said index1 and index2 for the interfaces.

8 Replies 8

Not applicable

The adaptive security appliance implementation of NSEL is a stateful, IP flow tracking method that exports only those records that indicate significant events in a flow. In stateful flow tracking, tracked flows go through a series of state changes. NSEL events are used to export data about flow status, and are triggered by the event that caused the state change.

NSEL has the following prerequisites:

•IP address and hostname assignments must be unique throughout the NetFlow configuration.

•You must have at least one configured collector before you can use NSEL.

•You must configure NSEL collectors before you can configure filters via Modular Policy Framework.

ok I still dont know what I am supposed to use to read the flow logs/exports. As I have said two of the three I have tried showed absolutely nothing, and the 3rd didnt seem to be able to make much sense of it. Besides MARS, what can I use to read NSEL?

For what it is worth, I talked to someone from Netflow Auditor today and they said they should be able to parse this data with Version 4 which comes out in June sometime. I am going to download version 4 and get a trial key when it is available to test this capability.

Leave it to Cisco to implement "Netflow" that doesn't work well with any collectors. This is almost as bad as netflow support for the SUP720's.

to get this working as far as exporting you can go here.

http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/monitor.html#wp1109506

Here is the basics of what you need.

flow-export destination

!

class-map netflow_export_class

match any

!

!

policy-map netflow_export_policy

class netflow_export_class

flow-export event-type all destination

!

service-policy netflow_export_policy global

The "match any" and "flow-export event-type all" lines force the export of ALL NSEL events.

Unless you have MARS, your collector probably will get the packets and pull ifindex numbers for the interfaces, both physical and virtual, but you will not get any of the payload data from the netflow packets. I am very disappointed in this revelation, but sadly, not surprised.

The NSEL record generated by netflow configuration in 8.2 is based on NetFlow version 9, which as been an RFC since 2004.

http://www.ietf.org/rfc/rfc3954.txt

Any netflow collector that understands NetFlow v9 should be able to collect the netflow data from your ASA.

thats the thing- I have tried several that do support V9 and they cant read from the ASA(but they can read from a 1721 exporting in V9 just fine)

v9 is pretty straight forward and I know that it can be read in wireshark if you collected packet captures to verify. Is there something specifically that your collector isn't dealing well with? I know I've seen problems where collectors are looking for the bytes in the flow which is ID 1, but that is never sent by the ASA as ID 1 is the number of bytes since the last update. The ASA uses ID 85 which is the total bytes sent.

HTH,

Pete

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: