11-22-2010 06:30 AM
Hello everyone,
We recently migrated from a linux based platform over to a Cisco ASA 5540,asa823-k8.bin. We are currently having a tough time identifying high bandwidth users.
We have tried using the sh thread-detection statistics command along with the ASDMs top usage status feature in the firewall dashboard, but these statistics are over a 1 hour period and thus not useful in catching live connections that consume 100% of our bandwidth over a 10~30 sec period.
With our old platform, we would simply log on the terminal and execute "pftop". This command would imediatly show the current scr\dst IP causing the most traffic by packet \ bytes sent\received; The employee causing the high bandwidth usage would imediatly stand out and be at the top of the list regardless of the amount of traffic they had been generating for the past few seconds..
Is there a command avaiable in the Cisco ASA platform that would allow us to see such real time statistics and or catch these high bandwidth spikes ?
Thanks in advance,
JP
Solved! Go to Solution.
11-23-2010 10:58 AM
It'd be a bit more convoluted for your ASA set. Luckily, you have ASA 8.2(3), so you could set up NetFlow export to an external analyzer for near real-time bw hog identification.
Here's Cisco's official documentation on ASA NetFlow:
http://www.cisco.com/en/US/docs/security/asa/asa82/netflow/netflow.html
A more practical config example is given here:
http://www.techish.net/windows/networking/basic-setup-of-netflownsel-on-cisco-asa/
You'll of course need a piece of analyzer sw that understands ASA's NSEL exports, but I'm sure it's not hard to find one.
11-23-2010 10:58 AM
It'd be a bit more convoluted for your ASA set. Luckily, you have ASA 8.2(3), so you could set up NetFlow export to an external analyzer for near real-time bw hog identification.
Here's Cisco's official documentation on ASA NetFlow:
http://www.cisco.com/en/US/docs/security/asa/asa82/netflow/netflow.html
A more practical config example is given here:
http://www.techish.net/windows/networking/basic-setup-of-netflownsel-on-cisco-asa/
You'll of course need a piece of analyzer sw that understands ASA's NSEL exports, but I'm sure it's not hard to find one.
11-24-2010 08:07 AM
Thanks for the reply yjdabear,
One last question, based on past experiences with cisco routing products, Netflows are presented on the analyzer once the session has ended, so its not exactly real time. I believe tweaks can be done to make the flows appear every X seconds, but i'm not sure. Does this hold true for the ASA's netflow implementation as well ?
Thanks in advance.
11-24-2010 11:07 AM
If you mean the equivalent to the IOS "ip flow-cache timeout active", it seems that's not available on the ASA yet, according to a previous thread: https://supportforums.cisco.com/message/3133271
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide