05-19-2010 04:00 AM - edited 03-11-2019 10:48 AM
I have an ASA configured as an Easy VPN client and I want to send Netflow information to a Netflow collector. In order to do this it appears that the Netflow collector systems I have tried require the reporting device (The ASA) be configured with SNMP. First of all I attempted to configure Netflow via the inside interface but this did not work as Netflow data did not traverse the Easy VPN tunnel. I therefore attempted to configure Netflow via the outside Interface and I am receving Netflow packets however I cannot communicate with the ASA via SNMP. I get the following log message:
7 | May 19 2010 | 13:15:01 | 710005 | snmp server ip address | 2221 | asa ip address | 161 | UDP request discarded from snmp server ip address/2221 to outside asa ip address/161 |
Can anyone assist as to what the best way is to go about this.
05-19-2010 04:04 AM
Paul,
Can you share your snmp-server and vpnclient configuration sesctions?
I understand that you're polling SNMP via tunnel and outside interface?
Marcin
05-19-2010 06:53 AM
See below, I have ommited all sensitive information, I have managed to find a netflow collector that works without SNMP the need for SNMP however I would stil like to know why I cannot comunicate with the ASA with SNMP:
ASA Version 8.2(1)
!
hostname XXXX
domain-name XXXX
names
!
interface Vlan1
nameif inside
security-level 100
ip address XXXX
!
interface Vlan2
nameif outside
security-level 0
ip address XXXX
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
dns server-group DefaultDNS
domain-name XXXX
pager lines 24
logging enable
logging asdm debugging
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
flow-export destination outside XXXX 2055
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 XXXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
snmp-server host outside XXXX community XXXX version 2c
snmp-server community XXXX
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 60
console timeout 0
management-access outside
dhcpd option 150 ip XXXX
!
dhcpd domain XXXX interface inside
dhcpd enable inside
!
vpnclient server XXXX
vpnclient mode network-extension-mode
vpnclient nem-st-autoconnect
vpnclient vpngroup XXXX password XXXX
vpnclient username XXXX password XXXX
vpnclient management clear
vpnclient enable
priority-queue inside
priority-queue outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
svc enable
!
class-map global-class
match dscp cs5 ef
class-map inspection_default
match default-inspection-traffic
class-map flow_export_class
match any
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
class global-class
priority
class flow_export_class
flow-export event-type all destination XXXX
class class-default
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:XXXX
: end
05-19-2010 07:02 AM
I understand that the IP address in snmp-server host command is the one you're polling this device from.
SInce the management clear is configured the traffic should go clearly over the internet.
http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4775147
Can you get a sniffer trace of that packet? We need to make sure it's the correct payload and correct host.
05-19-2010 07:43 AM
See attached, you will notice the source host is an rfc1918 IP address as I am behind a firewall, however there is a static NAT configured for this address on the firewall and an ACL that allows the access. Also, can you explain what you mean by "management clear" I didn't understand te context of what you were saying.
Thanks, Paul
05-19-2010 08:12 AM
Paul,
Can you please take me step by step how you're trying to poll the ASA? Which interface are coming in on etc.
I understand that the traffic capture was done on the host initiating traffic rather then the ASA via capture (since we have ARP packets captured ;])
What I meant by management clear is this:
-----
vpnclient management clear
------
Traffic directed to the outside interface of the ASA itself should not be put in the vpn tunnel.
Bottom line here is that:
- asp/l2 checks
- if we receive a packet destined to udp/161
- if the snmp-server host command allows traffic from that source host for polling.
- if the payload of the packet is not nulled
Allow packet.
If it's being dropped there is most likely some fault in the ASP table. For which:
- removing and adding back the same line (snmp-server blabla)
or
- reloading
could be a potential solution.
I'd suggest - do a packet capture on the ASA (capture command with access-list) , see the packet if, it's not malformed in anyway.
If it's not try one of the above workaround and/or try 8.2.2 rather then 8.2.1 :-)
If not open a case with TAC and we'll dig in.
Marcin
05-19-2010 09:16 AM
The netflow collector simply requires communication to the ASA using SNMP on UDP port 161. I wish to communicate over the Internet with the ASA's outside interface. I therfore try to contact the ASA from the collector host and the connection fails with the message I described earlier.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide