I am currently testing Netflow accuracy on my Solarwinds platform. So I have been transferring a large file across an ASA 5520, which is set up to send Netflow data to out Solarwinds server.
The problem is that the Netflow data does not show up on Solarwinds for about 2.5 hours. Once it gets there the size is correct, but the time stamp on Solarwinds is 2.5 hours behind when the transfer happened. For routers it is showing up within a few minutes.
Has anyone every come across this issue ?
ASA is running 8.2(5) and Solarwinds NTA 3.9.0. Firewall and Solarwinds times / timezones are the same.
Can you share the ASA config,
We also will need to create a few captures
I don't think it is the firewall as such.
If I download an IOS image from Cisco through the firewall, it shows on SW in about 5 minutes.
The flows I am having trouble with are file copies to a mapped drive, I am wondering if the firewall thinks the flow is active as I still have a drive mapping.
I tried it again and removed the mapping and disconnected the LAN cable, this time the flow showed in about 1 hour.
Today I will try and FTP the files to see if that works any better.
Thanks for this. I will consider upgrading the firmware, but this is a test lab Firewall and is already a version or 2 ahead of our prouction Firewalls. I did not want to take it even further ahead, although I might do just to test and see if the problem goes away.
Yes, I've seen flows take longer than 2.5 hours to be exported if that is how long the transfer takes. Until recently the ASA firmware including v8.2(5) didn't support active timeout. The active timeout exports the status of the flow (i.e. delta bytes) every 60 seconds. I suggest you consider upgrading to v8.4(5) to take advantage of the new biflows and the active timeout fix. With the right reporting solution, you will notice more accurate trends with v8.4(5) as the in/out flows are no longer added together.
There is a Cisco ASA webcast on Dec 13th that discusses this exact issue. Please vote on my post if it helps answer your question.
Could you comment on the issue reported in the SolarWinds Thwack community about ASA 8.4(5) having issues with NTA due to the flow template format?
Yes I sort of got the sense that you were connected with Plixer from your earlier post.
I was actually just soliciting your input (here) regarding whether has changed their flow template with ASA 8.4 and if you have any specific experience to share with respect to that.
Sorry I missunderstood. Prior to 8.4(5) they exported only the octetTotalCount which included both the in and out byte values. I hope I'm answering your question.