Netflow on ASA

Document

Oct 1, 2009 1:02 PM
Oct 1st, 2009

Feature

Logging in high performance environments is non-trivial. NetFlow on the ASA provides an efficient way to track connection creation, teardown and denies in an efficient manner. This is done by sending binary data in UDP packets as opposed to ASCII based syslog messages. The implementation used on the ASA platforms is NetFlow v9 which is defined by RFC3954. The feature was introduced in ASA 8.2.1/ASDM 6.2.1.

Terminology

Flow

This is the five-tuple <Protocol, Src Address, Src Port, Destination Address, Destination Port> of the communication stream. (In NetFlow version 5 a flow is technically defined as a 7-tuple but the ASA uses only the 5-tuple to define a flow)

Collector

The server to which the NetFlow data is sent and interpreted.

Exporter

The source generating the NetFlow data, in this case the ASA.

Record

Structured packet containing NetFlow data. This is the generic term for a NetFlow packet.

NSEL

NetFlow Secure Event Logging; NetFlow export packet on the ASA.

FlowSet

This is a term that only exists in NetFlow v9. It is a generic term for a collection of flow records. This includes the Template, Options and Data FlowSets.

Template FlowSet

Netflow packet defining the structure of the NetFlow record being exported.

Data FlowSet

Netflow packet that actually describes data about the IP flow.

Options FlowSet

Netflow packet that provides context for a value. (e.g., sampling rate or sampling method of an interface). Does not provide information about specific IP Flows. Not currently supported on the ASA platform.

Documentation

Configuring Network Secure Event Logging (NSEL) - ASA version 8.3 Configuration Guide

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/monitor_nsel.html

Details

NetFlow v9 Overview

The "flexible" aspect of NetFlow version 9 is the ability to create "templates" which allows for the arbitrary collection of data into NetFlow records. This differs from v5 in the sense that we are no longer limited strictly to the 7-tuple defined by the RFC. Template FlowSets are shared between the Exporter and the Collector at regular intervals (this is a configurable option on the ASA) to describe the structure and options of the Data FlowSets sent from the Exporter. The Exporter will have no way to interpret Data FlowSets until a Template FlowSet is seen. Once a Template FlowSet is seen by the collector it can properly parse the NetFlow Data FlowSets to understand the fields and their values.

NetFlow on the ASA vs IOS

The ASA only supports NetFlow version 9 and there are no plans to support NetFlow version 5. NetFlow on the ASA is event driven. Unlike routing platforms we do not send incremental updates; NSEL records are only sent during flow creation, teardown or ACL deny events. Also unlike the routing platforms we will not populate the ToS bits or the TCP flags. Lastly, all flows on the ASA are bidirectional. All counters for a flow will increase for traffic flowing from A->B or B->A.

Limitations

  • Template refresh records can only be sent based on time intervals, not based on number of data records.
  • NetFlow records can not be seen live on the ASA as data is collected.
  • NetFlow has a significant performance impact, but it should not be any worse than normal syslog operations of the same information. There will be an uptick in memory but it should also be minimal. NetFlow configured with overlapping syslogs can cause a significant performance hit.


Configuration

ASDM

To configure Neflow on the ASA using ASDM you can follow this document.

CLI

NetFlow is configured via the MPF and the netflow policy can only be applied globally (not per interface). The MPF can be leveraged to create any granularity you would otherwise gain by applying the policy to a specific interface.

First define the NetFlow global parameters. Define a netflow collector that can be used in the policy-map. The port is arbitrary and based on the collector implementation.

flow-export destination inside 192.168.1.13 4444

OPTIONAL:Configure a delay for flow-create NSELs. If we have a large number of created connections we can package them up into fewer NSELs with the use of the delay option. Time is in seconds.

flow-export delay flow-create 30

OPTIONAL: Configure the template refresh rate. This the number of minutes between sending a template record to our NetFlow collector. The default is 30 minutes and will probably work in most cases.

flow-export template timeout-rate 1

Next we create an ACL to flag interesting traffic and apply it to a class-map

access-list netflow-hosts extended permit ip any any

class-map NetFlow-traffic

  match access-list netflow-hosts

Optionally we can configure a unique NetFlow policy map and apply it globally. Most users will have a global inspection policy so we can just leverage that. It should be noted that we can't use class-default here because we won't generate NetFlow data for anything that is subject to inspection. Also the "event-type" option defines what we want to create NSELs on (all, flow-create, flow-deny, flow-teardown).


policy-map global_policy

  class inspection_default

    <!-snip->

  class NetFlow-traffic

    flow-export event-type all destination 192.168.1.13

Finalized configuration:

access-list netflow-hosts extended permit ip any any

!

flow-export destination inside 192.168.1.13 2444

flow-export template timeout-rate 1

flow-export delay flow-create 20

!

class-map NetFlow-traffic

  match access-list netflow-hosts

!

policy-map global_policy

  class inspection_default

   inspect dns migrated_dns_map_1

     inspect ftp

     inspect h323 h225

     inspect h323 ras

     inspect netbios

     inspect rsh

     inspect rtsp

     inspect skinny

     inspect esmtp

     inspect sqlnet

     inspect sunrpc

     inspect tftp

     inspect sip

     inspect xdmcp

     inspect icmp

  class NetFlow-traffic

   flow-export event-type all destination 192.168.1.13

Verify configuration

To verify the configuration you can use

show flow-export counters

that shows runtime counters for NetFlow connections,

clear flow-export counters

that clears the runtime counters.

The following example shows statistics for Netflow events sent to an external collector at 20.0.0.20 and an internal collector at 10.0.0.10.

ciscoasa# show flow-export counters


  destination: outside 192.168.0.20 2055

    Statistics:

      packets sent                                               100

    Errors:

      block allocation failure                                   0

      invalid interface                                          0

      template send failure                                      0


  destination: inside 10.0.0.10 2055

    Statistics:

      packets sent                                               100

    Errors:

      block allocation failure                                   0

      invalid interface                                          0

      template send failure                                      0

Common Issues

See Data in Realtime

Unfortunately NetFlow on the ASA does not provide the ability to see the bandwidth usage in realtime. The data can be collected after the flow has been terminated and analyzed but we do not support real time viewing of the NetFlow records. Instead you can use the threat-detection feature on ASA 8.x.

Collector Not Recording Data Properly

There are a lot of defined IDs and fields in NetFlow. If the collector successfully receives the Template DataSet then all of the information exported by the ASA should be read. Cases have been seen where the NetFlow Collector was expecting or looking for fields that we do not provide. Customers will have to work with their collector vendors to verify that the collector is correctly reading the fields. Running a capture on the collector can help show that the data is arriving and understood.


No Template Information

All of the NSELs are sent via UDP. With a single Template DataSet record being sent every 30 minutes it is possible that the Template DataSet packet is dropped due to congestion and the collector is unable to understand the NetFlow data. '''flow-export template timeout-rate <time in minutes>''' can be configured to try and help overcome this.

flow-export action not supported in interface policies

When trying to apply a NetFlow policy-map the following error is seen:

ERROR: 'flow-export' action not supported in interface policies, service-policy install failure

NetFlow policy-maps are only configurable in the global policy. There is no option to apply NetFlow policy-maps to an interface.

Collector interoperability

There are various collectors that have been working successfully with the ASA with various vendors. There are also open source ones that had no issues. Though we have noticed problem with other collecters.

  • SolarWinds Orion Collector

Multiple customers have reported issues with their SolarWinds NetFlow collector. It seems that at this time they DID not support NSEL with Flexible templates. You would see "unknown template" type messages in the Orion syslogs. As far as we know though, they have implemented some changes and recently (Orion NetFlow Traffic Analyzer 3.5SP2 with underlying Orion Network Performance Monitor 9.5SP4) we saw the collector being able to support the ASA.

  • Fluke tracker

Fluke has had problems parsing the ASA templates and currently does not seem to support them. The software will report error "Flowsets ignored due to not having the correct template to decode them".

Average Rating: 4.7 (3 ratings)

Comments

clapoint99 Tue, 11/10/2009 - 06:59

This information above is correct.  Orion NTA 3.5 SP2 supports NetFlow collection from Cisco ASAs and this is the currently shipping version (as of 9/14/2009).  For information on how to setup your Cisco ASA to work with Orion NTA, please see this knowledge base article.

-Chris LaPoint

Sr. Product Manager, SolarWinds

monloi.perez Sat, 03/30/2013 - 17:45

Does the current release of Cisco ASA does not have "packet" field on the template or even the data? A dump on the netwflow data does not show any value for the packet field. I've also check the templates on each version and seems like there is no template field relating to packets (perhaps field with PKTS) . Is this a current limitation on Cisco or are there extra config to get this to work? By the way, we are exporting netflow from Cisco ASA 8.6 and using NFDUMP/NFSEN (with nsel support) on the collector.

Actions

Login or Register to take actions

This Document

Posted October 1, 2009 at 1:02 PM
Stats:
Comments:3 Avg. Rating:4.7
Views:58051 Contributors:3
Shares:1
Tags: No tags.

Documents Leaderboard