topic Flow-Export problem in Network Security

Flow-Export problem

Steven Williams — Tue, 12 Mar 2019 01:56:56 GMT

I have followed this document for configuring my ASA5525-X running 9.1 for netflow export:

http://www.draware.dk/fileadmin/SolarWinds/Guide/How_to_configure_Netflow_on_a_Cisco_ASA.pdf

Cant seem to get it to work though. I see the counter increasing, I see the ACL hit count going up, but my server is not getting into.

When I run a packet trace from my ASA to my Solarwinds server it says denied by an implicit deny.

What is the difference between the ACL Manager and Access Rules in ASDM?

Flow-Export problem

julomban — Wed, 12 Jun 2013 21:28:37 GMT

Hello,

The packet tracer is for traffic going across the ASA not to or from the ASA itself.

ACL manager shows all the ACL's configured on the ASA (VPN, NAT, AAA, etc) and Access Rules shows only the ACL's applied to the interfaces.

Regards,

Juan Lombana

Please rate helpful posts.

Flow-Export problem

Steven Williams — Thu, 13 Jun 2013 17:32:39 GMT

ATIASA5525-01# show run | inc flow

access-list flow-export-acl extended permit ip any any

flow-export destination inside 10.170.5.80 2055

flow-export template timeout-rate 5

flow-export delay flow-create 60

class-map flow-export-class

match access-list flow-export-acl

class flow-export-class

flow-export event-type all destination 10.170.5.80

ATIASA5525-01#

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

class flow-export-class

flow-export event-type all destination 10.170.5.80 policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
class flow-export-class
flow-export event-type all destination 10.170.5.80

Anyone see any reason why this wouldnet work? If more clips of the running config is needed, let me know.

Flow-Export problem

Favaloro. — Thu, 13 Jun 2013 17:54:03 GMT

Try to clear the counters of the "flow-export" output by running the "clear flow-export counters" command and then collect the output of the "show flow-export counters" five minutes after the clearing.

Share the output with us.

Flow-Export problem

Steven Williams — Thu, 13 Jun 2013 18:44:33 GMT

This is about 30 minutes as I got caught up doing other things.

destination: inside 10.170.5.80 2055
Statistics:
    packets sent                                             6891
Errors:
    block allocation failure                                    0
    invalid interface                                           0
    template send failure                                       0
    no route to collector                                       0
    source port allocation failure                              0

ATIASA5525-01#

Flow-Export problem

Favaloro. — Thu, 13 Jun 2013 19:07:23 GMT

Can you confirm the Netflow collector is actively listening on port 2055?

Can you confirm the packets are making it to the server?

Is the ASA the only device reporting to that same server? If not, are the other devices having issues with it?

Remember, the ASA works with Netflow v9 only.

Flow-Export problem

Steven Williams — Thu, 13 Jun 2013 19:10:56 GMT

I have about 7 riverbeds exporting just fine to it on port 2055. I also have a 3845 exporting to it. All devices are fine. Just seems to be the ASA. From the asa I can ping the netflow server, and vice versa.

Flow-Export problem

Favaloro. — Thu, 13 Jun 2013 20:24:23 GMT

Just to be sure, let's try to get a packet capture and confirm that the Netflow information from the ASA is arriving to the server.

What's the Netflow collector application you are using?

Flow-Export problem

Steven Williams — Fri, 14 Jun 2013 14:30:04 GMT

Using Solarwinds NTA

What protocol of traffic should I be seeing from the ASA to the Netflow Collector?

I see syslog, SNMP, and Cflow traffic.

Flow-Export problem

Steven Williams — Fri, 14 Jun 2013 15:01:09 GMT

UGH! Solarwinds NTA issue, hotfix#3 for version 3.10.0 fixes the issue for ASA OS 8.4 and higher.