topic Re: Netflow on ASA with Manage Engine NTA in Network Security

Netflow on ASA with Manage Engine NTA

chelsea4ever — Mon, 11 Mar 2019 20:33:58 GMT

Hi ,

I have been trying to use the netflow features V9 with Manage engine NTA. I configured the ASA for netflow via ASDM. When i go to the webconsole of the Manage Engine i get this message

No device is currently exporting NetFlow / sFlow packets to NetFlow Analyzer.

Listening for NetFlow / sFlow Packets at Port 9996

So i decided to verify my configuration using the # show flow-export counters

and i had this output

ciscoasa# sh flow-export counters

destination: inside 192.168.1.10 9996
Statistics:
    packets sent                                              180
Errors:
    block allocation failure                                    0
    invalid interface                                           0
    template send failure                                       0
    no route to collector                                       0

By looking at the last line made me think i had no route to the collector from the ASA. What do i need to do.

I have attached the running configuration of my ASA. Help me to sort this issue.

Re: Netflow on ASA with Manage Engine NTA

Maykol Rojas — Mon, 16 May 2011 16:53:56 GMT

Hi,

You are missing a couple of commands there, please add

flow-export destination inside 192.168.1.10

flow-export template timeout-rate 1

Try to ping the collector from the ASA. You can use the following guide for reference:

https://supportforums.cisco.com/docs/DOC-6113

If you have any questions, let me know.

Mike

Re: Netflow on ASA with Manage Engine NTA

chelsea4ever — Mon, 16 May 2011 17:07:50 GMT

Thanks for your reply. the 2 commands u mentioned are already in my config

Pls refer to my attached doc.

Re: Netflow on ASA with Manage Engine NTA

Maykol Rojas — Mon, 16 May 2011 17:16:33 GMT

Ohh, Didnt see those... can you run a packet capture?

capture test interface inside match udp any any eq 9996

Then download the capture as follows:

https://192.168.1.1/capture/test/pcap

Also, were you able to ping the server from the ASA ?

Mike

Re: Netflow on ASA with Manage Engine NTA

chelsea4ever — Mon, 16 May 2011 17:26:53 GMT

thanks I have attached the packet capture file. i have not enabled ping on the asa.

Re: Netflow on ASA with Manage Engine NTA

Maykol Rojas — Mon, 16 May 2011 17:38:00 GMT

Hi,

The issue ist that there is no template for the NTA to read the netflow data, however, the packets are being sent. Would you please take this command out?

flow-export delay flow-create 60

Then, take a capture for 2 minutes and then send it to me again.

Cheers

Mike

Re: Netflow on ASA with Manage Engine NTA

chelsea4ever — Mon, 16 May 2011 17:57:20 GMT

I have taken the command off and have attached the captured file. thanks

Re: Netflow on ASA with Manage Engine NTA

Maykol Rojas — Mon, 16 May 2011 18:10:31 GMT

Hi,

Now I can see that the firewall its doing its job, from this point now you will need to troubleshoot the server. On the attached capture you can see that the firewall is sending the flow information, in the previous capture I was not able to see it because the template didnt arrived. Now with this new capture, I can see the template and I can see that the flow is being sent to the collector.

I know that this is not an ASA problem, but you can start wireshark on the server to see if you get the template and if you see the flows, if you do, it would be an application issue.

Mike

Re: Netflow on ASA with Manage Engine NTA

chelsea4ever — Mon, 16 May 2011 19:02:12 GMT

Thank you finally managed to sort the issue out. Windows 7 firewall was the issue. disabled it and works without any issue

Re: Netflow on ASA with Manage Engine NTA

Maykol Rojas — Mon, 16 May 2011 19:04:58 GMT

Hi,

Excellent, I thought of something like that. I am glad that everything is working. Thank you for posting.

Mike

Re: Netflow on ASA with Manage Engine NTA

chelsea4ever — Mon, 16 May 2011 19:07:55 GMT

thanks for helping me out. btw i have to ask when i issued the sh flow-export counters command why did i get a no route to collector output.

Re: Netflow on ASA with Manage Engine NTA

Maykol Rojas — Mon, 16 May 2011 19:17:13 GMT

Well, if you notice, the counter is on 0, so it did not have issues with no route to collector, If the collector would have been on a non-directly connected network and the ASA wouldnt have a route to it, you would be able to see the counter incrementing.

Cheers.

Mike