topic Re: ASA 5510 is sending netflow records instead of netflow flows in Network Security

ASA 5510 is sending netflow records instead of netflow flows

mmedwid — Mon, 11 Mar 2019 18:48:10 GMT

Following the URL below I setup netflow on my ASA to be able to analyze traffic through the firewall. My netflow analyzer is Solar Winds Netflow Traffic Analyzer buit it is not perceiving receipt of the packets although I know from wire shark they are getting there. I noticed a difference in the packets from the ASA and the routers is that the ASA netflow packets are "records" whereas all the routers send netflow "flows". Why the difference? Can I get the ASA to send "flows". If no - might there be some way for Solar Winds to be able to process ASA netflow records? Thanks.

https://supportforums.cisco.com/docs/DOC-6114

Re: ASA 5510 is sending netflow records instead of netflow flows

Scott Nishimura — Thu, 30 Sep 2010 20:23:27 GMT

Hello.

The ASA supports the new netflow v9 nsel and it doesnt function like your normal router netflow. What you are seeing is correct as we will generate a netflow data record for connections that are building or being torn down. There are a few other events as well.

Please check out this doc as it will provide more information on the nsel netflow v9 . Your collector must support the cisco ASA firewall. I believe there is a version of the solarwinds that does have this support. There are not many collectors that do support it so you will need to check.

please check out:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/monitor_nsel.html

thanks,

scott

Re: ASA 5510 is sending netflow records instead of netflow flows

mmedwid — Thu, 30 Sep 2010 20:32:51 GMT

According to Solar Winds

Which versions of NetFlow does Orion NetFlow Traffic Analyzer support?

Orion NetFlow Traffic Analyzer can collect data from all devices that support NetFlow v5, NetFlow v9, sFlow, or J-Flow. NetFlow v9 devices are supported using NetFlow v5 data formats.

Can Orion NTA analyze NetFlow from Cisco ASA devices?

Yes, Orion NTA supports all Cisco Adaptive Security Appliance (ASA) models.

Not sure what Netflow v9 devices are supported using v5 data formats. ??

http://www.solarwinds.com/products/orion/nta/faq.aspx

Thank you.

Michael

Re: ASA 5510 is sending netflow records instead of netflow flows

Scott Nishimura — Thu, 30 Sep 2010 20:38:00 GMT

Hi Michael,

Looks good. Your solarwinds should be able to interpret the nsel v9 being sent by the ASA. You mentioned you received records, so it sounds like its working. As for seeing the same info as you saw on your router, the nsel is different and wont be able to provide the same type of data.

thanks,

scott

Re: ASA 5510 is sending netflow records instead of netflow flows

mmedwid — Thu, 30 Sep 2010 20:39:19 GMT

It could be that I have 3.5 Netflow TA and they are up to 3.7. Downloading now...

Re: ASA 5510 is sending netflow records instead of netflow flows

mmedwid — Thu, 30 Sep 2010 22:25:36 GMT

I upgraded solar winds netflow analyzer to 3.7 but it still is not perceiving receipt of the netflow packets from the ASA.

Re: ASA 5510 is sending netflow records instead of netflow flows

Scott Nishimura — Thu, 30 Sep 2010 22:31:46 GMT

So the solarwinds is not seeing any data from the ASA? If that is the case, then you will probably want to run a sniffer trace on the interface going towards the solarwinds to make sure the ASA is sending out the data. If it is sending the data, then you may want to open a case with solarwinds on the data not showing up on the collector.

thanks,

scott

Re: ASA 5510 is sending netflow records instead of netflow flows

mmedwid — Thu, 30 Sep 2010 22:38:08 GMT

Well as I mentioned originally - I ran packet sniffer Wire Shark to verify that yes indeed the packets from the ASA are getting to the Solar Winds server. It's just that they are ver 9 and most of my routers are sending v5 netflow packets.

Re: ASA 5510 is sending netflow records instead of netflow flows

Scott Nishimura — Thu, 30 Sep 2010 22:42:58 GMT

Hi Michael,

it sounds like something on the processing side of the solarwinds if its not showing any traffic from the ASA since you had verified it was sending it via the wireshark earlier. I would probably suggest checking with them if there is some knob or something to turn on.

thanks,

scott

Re: ASA 5510 is sending netflow records instead of netflow flows

jakewilson — Fri, 01 Oct 2010 09:48:50 GMT

Is your Cisco ASA running at least version 8.2 or more recent? This firewall and its NetFlow support have been blogged about extensively on the plixer blog. Also, it might be worth trying a different NetFlow Analyzer like Scrutinizer just to gather more details around the problem.

NetFlows exported by the Cisco ASA. Check out this PDF:

http://www.plixer.com/files/netflow-on-the-asa-11-18-09.pdf

* no export of ToS

* no packet count

* bidirectional flows (reply flow is added to the initiating flow) non rfc 5103 compliant

* no active timeout

* no TCP flags

I would consider testing the issue with another NetFlow Analyzer.

Re: ASA 5510 is sending netflow records instead of netflow flows

mmedwid — Fri, 01 Oct 2010 16:17:59 GMT

Well having spent $$ on Solar Winds Netflow TA - they gotta just make it work. They claim it supports ASA and netflow 9 so it's on them.

We're running 8.2(1)11 btw.

Re: ASA 5510 is sending netflow records instead of netflow flows

jakewilson — Wed, 06 Oct 2010 00:08:40 GMT

Hi Michael,

Our product manager posted a new Cisco ASA video today:

http://media.plixer.com/screencasts/scrutV7ASA/scrutV7ASA/scrutV7ASA.html

Perhaps it will help our friends at solarwinds.

Warm Regards,

Jake