FWSM/ASA NetFlow

yuchenglai · ‎03-11-2010

Does anyone know if and when Cisco will provide NetFlow records export on the FWSM and ASA? The following link at caligare.com shows why FWSM and ASA are not able to export NetFlow records.

http://support.caligare.com/kb/entry/65/

yjdabear · ‎03-11-2010

There were some past threads on this subject, but I can't seem to find them now. NetFlow v9 support is introduced in ASA 8.2.1 according to this doc:

https://supportforums.cisco.com/docs/DOC-6113

yuchenglai · ‎03-11-2010

Thanks, it looks like NetFlow is not yet supported on the FWSM

David Lai

Network Engineer

Brooke Army Medical Center

210-916-3644 Office

210-916-7488 Desk

Jan Nejman · ‎03-17-2010

Hello David,

netflow is supported on ASA, but several important fields are missing. For example, packet count is missing

in the netflow export. Caligare software depends on valid information about packets and octects count. I'll be

very surprised if the new ASA IOS support these fields. I think that some our competitors support NetFlow

exports from ASA, but you will not be able to see the full detail about data flow (comparated with information

from Cisco routers or Catalyst switches). I think that a Scrutinizer SW supports it.

Kind regards,

Jan Nejman

Caligare, Co.

http://www.caligare.com/

jakewilson · ‎03-24-2010

Thank you Jan.

The ASA kicks out TotalOctetCount in stead of the traditional OctetDeltaCount. Also, the bidirectional flows are unique as well as several other items.

We have been getting a few calls with questions on the uniqueness of the NetFlows exported by the Cisco ASA. Check out this PDF:
http://www.plixer.com/files/netflow-on-the-asa-11-18-09.pdf

Here is a video I recorded on it:

http://media.plixer.com/screencasts/scrutV7ASA/scrutV7ASA/scrutV7ASA.html

Jake

yuchenglai · ‎03-25-2010

Is there NetFlow support on VRF-lite configured on 6500 switches and Firewall Service Modules on the 6500?

David Lai

Network Engineer

Brooke Army Medical Center

210-916-3644 Office

210-916-7488 Desk

Jan Nejman · ‎03-25-2010

Thank you Jake.

I once again checked the Cisco web page and there is no information about OctetDeltaCount

or TotalOctetCoun.

See the URL: http://www.cisco.com/en/US/docs/security/asa/asa83/netflow/netflow.html

In the netflow export is only NF_F_FLOW_BYTES field, but number of packets field is missing!

So I guess that you are not able to display how many packets contain the flow. For example

you can only display that flow from IP A went to the IP B... + how many bytes were transferred

but there is no information about number of packets.

Or I'm wrong?

Jan

jakewilson · ‎03-29-2010

Hi David,

I googled "VRF-lite netflow" and the prognosis doesn't look good.

Jan, I should have been more clear. NetFlow v9 http://www.ietf.org/rfc/rfc3954.txt kicks out IN_BYTES and IN_PKTS. IPFIX http://tools.ietf.org/html/rfc5101 kicks out inOctetDeltaCount inPacketDeltaCount and when the two RFC's conflict, we go with the IPFIX naming convention.

The ASA exports NF_F_FLOW_BYTES which we save as stated above to inOctetDeltaCount. Agreed, I don't see any packet count in the ASA flows.

yuchenglai · ‎03-29-2010

Jake,

What about FWSM on 6509?

David Lai

Network Engineer

Brooke Army Medical Center

210-916-3644 Office

210-916-7488 Desk

jakewilson · ‎03-31-2010

my searching brought me to:

http://www.networkworld.com/community/node/38585

"This is where the FWSM uses NetFlow information….." However, it does not say it exports NetFlow. My google searching came up empty for FWSM NetFlow support.

yuchenglai · ‎04-01-2010

It would be nice if Cisco could enable export of "NetFlow-like" stats from the FWSM and VRF-Lites in upcoming code releases.

David Lai

Network Engineer

Brooke Army Medical Center

210-916-3644 Office

210-916-7488 Desk