topic Re: ASA 8.2 NSEL netflow in Network Security

ASA 8.2 NSEL netflow

ryancolson — Mon, 11 Mar 2019 15:29:59 GMT

I recently updated to ASA code version 8.2, and am trying ti find a utility that can read/interperate the NSEL output, and hopefully give some bandwidth stats. I ahve tried orion, scrutanizer, and advantnet. the first two didnt report anything, and adventnet only reported some IP address, but did not recognize the interface names or give any data bandwidths. It just said index1 and index2 for the interfaces.

Re: ASA 8.2 NSEL netflow

Fri, 15 May 2009 14:35:14 GMT

The adaptive security appliance implementation of NSEL is a stateful, IP flow tracking method that exports only those records that indicate significant events in a flow. In stateful flow tracking, tracked flows go through a series of state changes. NSEL events are used to export data about flow status, and are triggered by the event that caused the state change.

NSEL has the following prerequisites:

â€¢IP address and hostname assignments must be unique throughout the NetFlow configuration.

â€¢You must have at least one configured collector before you can use NSEL.

â€¢You must configure NSEL collectors before you can configure filters via Modular Policy Framework.

Re: ASA 8.2 NSEL netflow

ryancolson — Sun, 17 May 2009 04:43:59 GMT

ok I still dont know what I am supposed to use to read the flow logs/exports. As I have said two of the three I have tried showed absolutely nothing, and the 3rd didnt seem to be able to make much sense of it. Besides MARS, what can I use to read NSEL?

Re: ASA 8.2 NSEL netflow

delawarecity — Wed, 20 May 2009 16:06:00 GMT

For what it is worth, I talked to someone from Netflow Auditor today and they said they should be able to parse this data with Version 4 which comes out in June sometime. I am going to download version 4 and get a trial key when it is available to test this capability.

Re: ASA 8.2 NSEL netflow

kghutton — Fri, 29 May 2009 17:31:02 GMT

Leave it to Cisco to implement "Netflow" that doesn't work well with any collectors. This is almost as bad as netflow support for the SUP720's.

to get this working as far as exporting you can go here.

http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/monitor.html#wp1109506

Here is the basics of what you need.

flow-export destination

class-map netflow_export_class

match any

policy-map netflow_export_policy

class netflow_export_class

flow-export event-type all destination

service-policy netflow_export_policy global

The "match any" and "flow-export event-type all" lines force the export of ALL NSEL events.

Unless you have MARS, your collector probably will get the packets and pull ifindex numbers for the interfaces, both physical and virtual, but you will not get any of the payload data from the netflow packets. I am very disappointed in this revelation, but sadly, not surprised.

Re: ASA 8.2 NSEL netflow

plumbis — Tue, 02 Jun 2009 04:37:20 GMT

The NSEL record generated by netflow configuration in 8.2 is based on NetFlow version 9, which as been an RFC since 2004.

http://www.ietf.org/rfc/rfc3954.txt

Re: ASA 8.2 NSEL netflow

plumbis — Tue, 02 Jun 2009 04:38:05 GMT

Any netflow collector that understands NetFlow v9 should be able to collect the netflow data from your ASA.

Re: ASA 8.2 NSEL netflow

ryancolson — Tue, 02 Jun 2009 10:12:27 GMT

thats the thing- I have tried several that do support V9 and they cant read from the ASA(but they can read from a 1721 exporting in V9 just fine)

Re: ASA 8.2 NSEL netflow

plumbis — Wed, 03 Jun 2009 03:42:11 GMT

v9 is pretty straight forward and I know that it can be read in wireshark if you collected packet captures to verify. Is there something specifically that your collector isn't dealing well with? I know I've seen problems where collectors are looking for the bytes in the flow which is ID 1, but that is never sent by the ASA as ID 1 is the number of bytes since the last update. The ASA uses ID 85 which is the total bytes sent.

HTH,

Pete