cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2754
Views
0
Helpful
9
Replies

Flow-Export problem

Steven Williams
Level 4
Level 4

I have followed this document for configuring my ASA5525-X running 9.1 for netflow export:

http://www.draware.dk/fileadmin/SolarWinds/Guide/How_to_configure_Netflow_on_a_Cisco_ASA.pdf

Cant seem to get it to work though. I see the counter increasing, I see the ACL hit count going up, but my server is not getting into.

When I run a packet trace from my ASA to my Solarwinds server it says denied by an implicit deny.

What is the difference between the ACL Manager and Access Rules in ASDM?

2 Accepted Solutions

Accepted Solutions

Try to clear the counters of the "flow-export" output by running the "clear flow-export counters" command and then collect the output of the "show flow-export counters" five minutes after the clearing.

Share the output with us.

View solution in original post

Just to be sure, let's try to get a packet capture and confirm that the Netflow information from the ASA is arriving to the server.

What's the Netflow collector application you are using?

View solution in original post

9 Replies 9

julomban
Level 3
Level 3

Hello,

The packet tracer is for traffic going across the ASA not to or from the ASA itself.

ACL manager shows all the ACL's configured on the ASA (VPN, NAT, AAA, etc) and Access Rules shows only the ACL's applied to the interfaces.

Regards,

Juan Lombana

Please rate helpful posts.

ATIASA5525-01# show run | inc flow 

access-list flow-export-acl extended permit ip any any

flow-export destination inside 10.170.5.80 2055

flow-export template timeout-rate 5

flow-export delay flow-create 60

class-map flow-export-class

match access-list flow-export-acl

class flow-export-class

  flow-export event-type all destination 10.170.5.80

ATIASA5525-01#

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

class flow-export-class

  flow-export event-type all destination 10.170.5.80 policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
class flow-export-class
  flow-export event-type all destination 10.170.5.80

Anyone see any reason why this wouldnet work? If more clips of the running config is needed, let me know.

Try to clear the counters of the "flow-export" output by running the "clear flow-export counters" command and then collect the output of the "show flow-export counters" five minutes after the clearing.

Share the output with us.

This is about 30 minutes as I got caught up doing other things.

destination: inside 10.170.5.80 2055
  Statistics:
    packets sent                                             6891
  Errors:
    block allocation failure                                    0
    invalid interface                                           0
    template send failure                                       0
    no route to collector                                       0
    source port allocation failure                              0

ATIASA5525-01#

Can you confirm the Netflow collector is actively listening on port 2055?

Can you confirm the packets are making it to the server?

Is the ASA the only device reporting to that same server? If not, are the other devices having issues with it?

Remember, the ASA works with Netflow v9 only.

I have about 7 riverbeds exporting just fine to it on port 2055. I also have a 3845 exporting to it. All devices are fine. Just seems to be the ASA. From the asa I can ping the netflow server, and vice versa.

Just to be sure, let's try to get a packet capture and confirm that the Netflow information from the ASA is arriving to the server.

What's the Netflow collector application you are using?

Using Solarwinds NTA

What protocol of traffic should I be seeing from the ASA to the Netflow Collector?

I see syslog, SNMP, and Cflow traffic.

UGH!  Solarwinds NTA issue, hotfix#3 for version 3.10.0 fixes the issue for ASA OS 8.4 and higher.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: