Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3320
Views
0
Helpful
3
Replies

ASA 5540 real time connection monitoring.

Go to solution
jp.zurbrugg
Level 1
Level 1

‎11-22-2010 06:30 AM

Hello everyone,

We recently migrated from a linux based platform over to a Cisco ASA 5540,asa823-k8.bin. We are currently having a tough time identifying high bandwidth users.

We have tried using the sh thread-detection statistics command along with the ASDMs top usage status feature in the firewall dashboard, but these statistics are over a 1 hour period and thus not useful in catching live connections that consume 100% of our bandwidth over a 10~30 sec period.

With our old platform, we would simply log on the terminal and execute "pftop". This command would imediatly show the current scr\dst IP causing the most traffic by packet \ bytes sent\received; The employee causing the high bandwidth usage would imediatly stand out and be at the top of the list regardless of the amount of traffic they had been generating for the past few seconds..

Is there a command avaiable in the Cisco ASA platform that would allow us to see such real time statistics and or catch these high bandwidth spikes ?

Thanks in advance,

JP

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
yjdabear
VIP Alumni
VIP Alumni

‎11-23-2010 10:58 AM

It'd be a bit more convoluted for your ASA set. Luckily, you have ASA 8.2(3), so you could set up NetFlow export to an external analyzer for near real-time bw hog identification.

Here's Cisco's official documentation on ASA NetFlow:

http://www.cisco.com/en/US/docs/security/asa/asa82/netflow/netflow.html


A more practical config example is given here:

http://www.techish.net/windows/networking/basic-setup-of-netflownsel-on-cisco-asa/

You'll of course need a piece of analyzer sw that understands ASA's NSEL exports, but I'm sure it's not hard to find one.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
yjdabear
VIP Alumni
VIP Alumni

‎11-23-2010 10:58 AM

It'd be a bit more convoluted for your ASA set. Luckily, you have ASA 8.2(3), so you could set up NetFlow export to an external analyzer for near real-time bw hog identification.

Here's Cisco's official documentation on ASA NetFlow:

http://www.cisco.com/en/US/docs/security/asa/asa82/netflow/netflow.html


A more practical config example is given here:

http://www.techish.net/windows/networking/basic-setup-of-netflownsel-on-cisco-asa/

You'll of course need a piece of analyzer sw that understands ASA's NSEL exports, but I'm sure it's not hard to find one.

0 Helpful

Go to solution
jp.zurbrugg
Level 1
Level 1
In response to yjdabear

‎11-24-2010 08:07 AM

Thanks for the reply yjdabear,

One last question, based on past experiences with cisco routing products, Netflows are presented on the analyzer once the session has ended, so its not exactly real time. I believe tweaks can be done to make the flows appear every X seconds, but i'm not sure. Does this hold true for the ASA's netflow implementation as well ?

Thanks in advance.

0 Helpful

Go to solution
yjdabear
VIP Alumni
VIP Alumni
In response to jp.zurbrugg

‎11-24-2010 11:07 AM

If you mean the equivalent to the IOS "ip flow-cache timeout active", it seems that's not available on the ASA yet, according to a previous thread: https://supportforums.cisco.com/message/3133271

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents