cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


957
Views
0
Helpful
8
Replies
Highlighted
Beginner

Cisco ASA Netflow traffic delayed to Solar Winds

I am currently testing Netflow accuracy on my Solarwinds platform. So I have been transferring a large file across an ASA 5520, which is set up to send Netflow data to out Solarwinds server.

The problem is that the Netflow data does not show up on Solarwinds for about 2.5 hours. Once it gets there the size is correct, but the time stamp on Solarwinds is 2.5 hours behind when the transfer happened. For routers it is showing up within a few minutes.

Has anyone every come across this issue ?

ASA is running 8.2(5) and Solarwinds NTA 3.9.0. Firewall and Solarwinds times / timezones are the same.

Everyone's tags (5)
8 REPLIES 8

Cisco ASA Netflow traffic delayed to Solar Winds

Hello Richard,

Can you share the ASA config,

We also will need to create a few captures

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Beginner

Cisco ASA Netflow traffic delayed to Solar Winds

I don't think it is the firewall as such.

If I download an IOS image from Cisco through the firewall, it shows on SW in about 5 minutes.

The flows I am having trouble with are file copies to a mapped drive, I am wondering if the firewall thinks the flow is active as I still have a drive mapping.

I tried it again and removed the mapping and disconnected the LAN cable, this time the flow showed in about 1 hour.

Today I will try and FTP the files to see if that works any better.

Beginner

Cisco ASA Netflow traffic delayed to Solar Winds

Thanks for this. I will consider upgrading the firmware, but this is a test lab Firewall and is already a version or 2 ahead of our prouction Firewalls. I did not want to take it even further ahead, although I might do just to test and see if the problem goes away.

Beginner

Cisco ASA Netflow traffic delayed to Solar Winds

Hi Richard,

Yes, I've seen flows take longer than 2.5 hours to be exported if that is how long the transfer takes.  Until recently the ASA firmware including v8.2(5) didn't support active timeout.  The active timeout exports the status of the flow (i.e. delta bytes) every 60 seconds. I suggest you consider upgrading to v8.4(5) to take advantage of the new biflows and the active timeout fix. With the right reporting solution, you will notice more accurate trends with v8.4(5) as the in/out flows are no longer added together.

There is a Cisco ASA webcast on Dec 13th that discusses this exact issue. Please vote on my post if it helps answer your question. 

Best Regards,

Jake Wilson

NetFlow Knight

Hall of Fame Guru

Cisco ASA Netflow traffic delayed to Solar Winds

Jake,

Could you comment on the issue reported in the SolarWinds Thwack community about ASA 8.4(5) having issues with NTA due to the flow template format?

Reference: http://thwack.solarwinds.com/message/186323#186323

Beginner

Cisco ASA Netflow traffic delayed to Solar Winds

Hi Marvin,

I work for Plixer.  I don't think Solarwinds wants me on their forum. 

Jake Wilson

NetFlow Knight

Hall of Fame Guru

Cisco ASA Netflow traffic delayed to Solar Winds

Hi Jake,

Yes I sort of got the sense that you were connected with Plixer from your earlier post.

I was actually just soliciting your input (here) regarding whether has changed their flow template with ASA 8.4 and if you have any specific experience to share with respect to that.

Best regards,

- Marvin

Beginner

Cisco ASA Netflow traffic delayed to Solar Winds

Sorry I missunderstood.  Prior to 8.4(5) they exported only the octetTotalCount which included both the in and out byte values.  I hope I'm answering your question.

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here