Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 5540 real time connection monitoring.

Hello everyone,

We recently migrated from a linux based platform over to a Cisco ASA 5540,asa823-k8.bin. We are currently having a tough time identifying high bandwidth users.

We have tried using the sh thread-detection statistics command along with the ASDMs top usage status feature in the firewall dashboard, but these statistics are over a 1 hour period and thus not useful in catching live connections that consume 100% of our bandwidth over a 10~30 sec period.

With our old platform, we would simply log on the terminal and execute "pftop". This command would imediatly show the current scr\dst IP causing the most traffic by packet \ bytes sent\received; The employee causing the high bandwidth usage would imediatly stand out and be at the top of the list regardless of the amount of traffic they had been generating for the past few seconds..

Is there a command avaiable in the Cisco ASA platform that would allow us to see such real time statistics and or catch these high bandwidth spikes ?

Thanks in advance,

JP

1 ACCEPTED SOLUTION

Accepted Solutions
Blue

Re: ASA 5540 real time connection monitoring.

It'd be a bit more convoluted for your ASA set. Luckily, you have ASA 8.2(3), so you could set up NetFlow export to an external analyzer for near real-time bw hog identification.

Here's Cisco's official documentation on ASA NetFlow:

http://www.cisco.com/en/US/docs/security/asa/asa82/netflow/netflow.html


A more practical config example is given here:

http://www.techish.net/windows/networking/basic-setup-of-netflownsel-on-cisco-asa/

You'll of course need a piece of analyzer sw that understands ASA's NSEL exports, but I'm sure it's not hard to find one.

3 REPLIES
Blue

Re: ASA 5540 real time connection monitoring.

It'd be a bit more convoluted for your ASA set. Luckily, you have ASA 8.2(3), so you could set up NetFlow export to an external analyzer for near real-time bw hog identification.

Here's Cisco's official documentation on ASA NetFlow:

http://www.cisco.com/en/US/docs/security/asa/asa82/netflow/netflow.html


A more practical config example is given here:

http://www.techish.net/windows/networking/basic-setup-of-netflownsel-on-cisco-asa/

You'll of course need a piece of analyzer sw that understands ASA's NSEL exports, but I'm sure it's not hard to find one.

New Member

Re: ASA 5540 real time connection monitoring.

Thanks for the reply yjdabear,

One last question, based on past experiences with cisco routing products, Netflows are presented on the analyzer once the session has ended, so its not exactly real time. I believe tweaks can be done to make the flows appear every X seconds, but i'm not sure. Does this hold true for the ASA's netflow implementation as well ?

Thanks in advance.

Blue

Re: ASA 5540 real time connection monitoring.

If you mean the equivalent to the IOS "ip flow-cache timeout active", it seems that's not available on the ASA yet, according to a previous thread: https://supportforums.cisco.com/message/3133271

2208
Views
0
Helpful
3
Replies