ASA 5510 is sending netflow records instead of netflow flows

Unanswered Question
Sep 30th, 2010

Following the URL below I setup netflow on my ASA to be able to analyze traffic through the firewall.  My netflow analyzer is Solar Winds Netflow Traffic Analyzer buit it is not perceiving receipt of the packets although I know from wire shark they are getting there.  I noticed a difference in the packets from the ASA and the routers is that the ASA netflow packets are "records" whereas all the routers send netflow "flows".  Why the difference?  Can I get the ASA to send "flows".  If no - might there be some way for Solar Winds to be able to process ASA netflow records?  Thanks.

https://supportforums.cisco.com/docs/DOC-6114

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Scott Nishimura Thu, 09/30/2010 - 13:23

Hello.

The ASA supports the new netflow v9 nsel and it doesnt function like your normal router netflow.  What you are seeing is correct as we will generate a netflow data record for connections that are building or being torn down.  There are a few other events as well.

Please check out this doc as it will provide more information on the nsel netflow v9 .  Your collector must support the cisco ASA firewall.  I believe there is a version of the solarwinds that does have this support.  There are not many collectors that do support it so you will need to check.

please check out:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/monitor_nsel.html

thanks,

scott

mmedwid Thu, 09/30/2010 - 13:32

According to Solar Winds


Which versions of NetFlow does Orion NetFlow Traffic Analyzer support?

Orion NetFlow Traffic Analyzer can collect data from all devices that support NetFlow v5, NetFlow v9, sFlow, or J-Flow. NetFlow v9 devices are supported using NetFlow v5 data formats.


Can Orion NTA analyze NetFlow from Cisco ASA devices?

Yes, Orion NTA supports all Cisco Adaptive Security Appliance (ASA) models.

Not sure what Netflow v9 devices are supported using v5 data formats.  ??

http://www.solarwinds.com/products/orion/nta/faq.aspx

Thank you.

Michael

Scott Nishimura Thu, 09/30/2010 - 13:38

Hi Michael,

Looks good.  Your solarwinds should be able to interpret the nsel v9 being sent by the ASA.  You mentioned you received records, so it sounds like its working.  As for seeing the same info as you saw on your router, the nsel is different and wont be able to provide the same type of data.

thanks,

scott

mmedwid Thu, 09/30/2010 - 13:39

It could be that I have 3.5 Netflow TA and they are up to 3.7.  Downloading now...

mmedwid Thu, 09/30/2010 - 15:25

I upgraded solar winds netflow analyzer to 3.7 but it still is not perceiving receipt of the netflow packets from the ASA.

Scott Nishimura Thu, 09/30/2010 - 15:31

So the solarwinds is not seeing any data from the ASA?  If that is the case, then you will probably want to run a sniffer trace on the interface going towards the solarwinds to make sure the ASA is sending out the data.  If it is sending the data, then you may want to open a case with solarwinds on the data not showing up on the collector.

thanks,

scott

mmedwid Thu, 09/30/2010 - 15:38

Well as I mentioned originally - I ran packet sniffer Wire Shark to verify that yes indeed the packets from the ASA are getting to the Solar Winds server.  It's just that they are ver 9 and most of my routers are sending v5 netflow packets.

Scott Nishimura Thu, 09/30/2010 - 15:42

Hi Michael,

it sounds like something on the processing side of the solarwinds if its not showing any traffic from the ASA since you had verified it was sending it via the wireshark earlier.  I would probably suggest checking with them if there is some knob or something to turn on.

thanks,

scott

jakewilson Fri, 10/01/2010 - 02:48

Is your Cisco ASA running at least version 8.2 or more recent?  This firewall and its NetFlow support have been blogged about extensively on the plixer blog.  Also, it might be worth trying a different NetFlow Analyzer like Scrutinizer just to gather more details around the problem.

NetFlows exported by the Cisco ASA. Check out this PDF:

http://www.plixer.com/files/netflow-on-the-asa-11-18-09.pdf 

  * no export of ToS

  * no packet count

  * bidirectional flows (reply flow is added to the initiating flow) non rfc 5103 compliant

  * no active timeout

  * no TCP flags

I would consider testing the issue with another NetFlow Analyzer.

mmedwid Fri, 10/01/2010 - 09:17

Well having spent $$ on Solar Winds Netflow TA - they gotta just make it work.  They claim it supports ASA and netflow 9 so it's on them.

We're running 8.2(1)11 btw.

Actions

This Discussion