cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4942
Views
0
Helpful
6
Replies

Configuring SNMP & Netflow on ASA Outside Interface

paultribe
Level 1
Level 1

I have an ASA configured as an Easy VPN client and I want to send Netflow information to a Netflow collector. In order to do this it appears that the Netflow collector systems I have tried require the reporting device (The ASA) be configured with SNMP. First of all I attempted to configure Netflow via the inside interface but this did not work as Netflow data did not traverse the Easy VPN tunnel. I therefore attempted to configure Netflow via the outside Interface and I am receving Netflow packets however I cannot communicate with the ASA via SNMP. I get the following log message:

7May 19 201013:15:01710005snmp server ip address2221asa ip address161UDP request discarded from snmp server ip address/2221 to outside asa ip address/161


Can anyone assist as to what the best way is to go about this.

6 Replies 6

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Paul,

Can you share your snmp-server and vpnclient configuration sesctions?

I understand that you're polling SNMP via tunnel and outside interface?

Marcin

See below, I have ommited all sensitive information, I have managed to find a netflow collector that works without SNMP the need for SNMP however I would stil like to know why I cannot comunicate with the ASA with SNMP:


ASA Version 8.2(1)
!
hostname XXXX
domain-name XXXX
names
!
interface Vlan1
nameif inside
security-level 100
ip address XXXX

!
interface Vlan2
nameif outside
security-level 0
ip address XXXX
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
dns server-group DefaultDNS
domain-name XXXX
pager lines 24
logging enable
logging asdm debugging
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
flow-export destination outside XXXX 2055
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 XXXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
snmp-server host outside XXXX community XXXX version 2c
snmp-server community XXXX
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 60
console timeout 0
management-access outside
dhcpd option 150 ip XXXX

!
dhcpd domain XXXX interface inside
dhcpd enable inside
!
vpnclient server XXXX

vpnclient mode network-extension-mode
vpnclient nem-st-autoconnect
vpnclient vpngroup XXXX password XXXX
vpnclient username XXXX password XXXX
vpnclient management clear
vpnclient enable
priority-queue inside
priority-queue outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
svc enable
!
class-map global-class
match dscp cs5  ef
class-map inspection_default
match default-inspection-traffic
class-map flow_export_class
match any
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
class global-class
  priority
class flow_export_class
  flow-export event-type all destination XXXX
class class-default
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:XXXX
: end

I understand that the IP address in snmp-server host command is the one you're polling this device from.

SInce the management clear is configured the traffic should go clearly over the internet.

http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4775147

Can you get a sniffer trace of that packet? We need to make sure it's the correct payload and correct host.

See attached, you will notice the source host is an rfc1918 IP address as I am behind a firewall, however there is a static NAT configured for this address on the firewall and an ACL that allows the access. Also, can you explain what you mean by "management clear" I didn't understand te context of what you were saying.

Thanks, Paul

Paul,

Can you please take me step by step how you're trying to poll the ASA? Which interface are coming in on etc.

I understand that the traffic capture was done on the host initiating traffic rather then the ASA via capture (since we have ARP packets captured ;])

What I meant by management clear is this:

-----

vpnclient management clear

------

Traffic directed to the outside interface of the ASA itself should not be put in the vpn tunnel.


Bottom line here is that:

- asp/l2 checks

- if we receive a packet destined to udp/161

- if the snmp-server host  command allows traffic from that source host for polling.

- if the payload of the packet is not nulled

Allow packet.

If it's being dropped there is most likely some fault in the ASP table. For which:

- removing and adding back the same line (snmp-server blabla)

or

- reloading

could be a potential solution.

I'd suggest - do a packet capture on the ASA (capture command with access-list) , see the packet if, it's not malformed in anyway.

If it's not try one of the above workaround and/or try 8.2.2 rather then 8.2.1 :-)

If not open a case with TAC and we'll dig in.

Marcin

The netflow collector simply requires communication to the ASA using SNMP on UDP port 161. I wish to communicate over the Internet with the ASA's outside interface. I therfore try to contact the ASA from the collector host and the connection fails with the message I described earlier.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: