ASA 5510 is sending netflow records instead of netflow flows

Unanswered Question
Sep 30th, 2010
User Badges:

Following the URL below I setup netflow on my ASA to be able to analyze traffic through the firewall.  My netflow analyzer is Solar Winds Netflow Traffic Analyzer buit it is not perceiving receipt of the packets although I know from wire shark they are getting there.  I noticed a difference in the packets from the ASA and the routers is that the ASA netflow packets are "records" whereas all the routers send netflow "flows".  Why the difference?  Can I get the ASA to send "flows".  If no - might there be some way for Solar Winds to be able to process ASA netflow records?  Thanks.


https://supportforums.cisco.com/docs/DOC-6114

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Scott Nishimura Thu, 09/30/2010 - 13:23
User Badges:
  • Cisco Employee,

Hello.


The ASA supports the new netflow v9 nsel and it doesnt function like your normal router netflow.  What you are seeing is correct as we will generate a netflow data record for connections that are building or being torn down.  There are a few other events as well.


Please check out this doc as it will provide more information on the nsel netflow v9 .  Your collector must support the cisco ASA firewall.  I believe there is a version of the solarwinds that does have this support.  There are not many collectors that do support it so you will need to check.


please check out:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/monitor_nsel.html


thanks,

scott

mmedwid Thu, 09/30/2010 - 13:32
User Badges:

According to Solar Winds




Which versions of NetFlow does Orion NetFlow Traffic Analyzer support?

Orion NetFlow Traffic Analyzer can collect data from all devices that support NetFlow v5, NetFlow v9, sFlow, or J-Flow. NetFlow v9 devices are supported using NetFlow v5 data formats.


Can Orion NTA analyze NetFlow from Cisco ASA devices?

Yes, Orion NTA supports all Cisco Adaptive Security Appliance (ASA) models.


Not sure what Netflow v9 devices are supported using v5 data formats.  ??


http://www.solarwinds.com/products/orion/nta/faq.aspx


Thank you.


Michael

Scott Nishimura Thu, 09/30/2010 - 13:38
User Badges:
  • Cisco Employee,

Hi Michael,


Looks good.  Your solarwinds should be able to interpret the nsel v9 being sent by the ASA.  You mentioned you received records, so it sounds like its working.  As for seeing the same info as you saw on your router, the nsel is different and wont be able to provide the same type of data.


thanks,

scott

mmedwid Thu, 09/30/2010 - 13:39
User Badges:

It could be that I have 3.5 Netflow TA and they are up to 3.7.  Downloading now...

mmedwid Thu, 09/30/2010 - 15:25
User Badges:

I upgraded solar winds netflow analyzer to 3.7 but it still is not perceiving receipt of the netflow packets from the ASA.

Scott Nishimura Thu, 09/30/2010 - 15:31
User Badges:
  • Cisco Employee,

So the solarwinds is not seeing any data from the ASA?  If that is the case, then you will probably want to run a sniffer trace on the interface going towards the solarwinds to make sure the ASA is sending out the data.  If it is sending the data, then you may want to open a case with solarwinds on the data not showing up on the collector.


thanks,

scott

mmedwid Thu, 09/30/2010 - 15:38
User Badges:

Well as I mentioned originally - I ran packet sniffer Wire Shark to verify that yes indeed the packets from the ASA are getting to the Solar Winds server.  It's just that they are ver 9 and most of my routers are sending v5 netflow packets.

Scott Nishimura Thu, 09/30/2010 - 15:42
User Badges:
  • Cisco Employee,

Hi Michael,


it sounds like something on the processing side of the solarwinds if its not showing any traffic from the ASA since you had verified it was sending it via the wireshark earlier.  I would probably suggest checking with them if there is some knob or something to turn on.


thanks,

scott

jakewilson Fri, 10/01/2010 - 02:48
User Badges:

Is your Cisco ASA running at least version 8.2 or more recent?  This firewall and its NetFlow support have been blogged about extensively on the plixer blog.  Also, it might be worth trying a different NetFlow Analyzer like Scrutinizer just to gather more details around the problem.


NetFlows exported by the Cisco ASA. Check out this PDF:

http://www.plixer.com/files/netflow-on-the-asa-11-18-09.pdf 

  * no export of ToS

  * no packet count

  * bidirectional flows (reply flow is added to the initiating flow) non rfc 5103 compliant

  * no active timeout

  * no TCP flags


I would consider testing the issue with another NetFlow Analyzer.

mmedwid Fri, 10/01/2010 - 09:17
User Badges:

Well having spent $$ on Solar Winds Netflow TA - they gotta just make it work.  They claim it supports ASA and netflow 9 so it's on them.


We're running 8.2(1)11 btw.

Actions

This Discussion