09-30-2010 01:16 PM - edited 03-11-2019 11:48 AM
Following the URL below I setup netflow on my ASA to be able to analyze traffic through the firewall. My netflow analyzer is Solar Winds Netflow Traffic Analyzer buit it is not perceiving receipt of the packets although I know from wire shark they are getting there. I noticed a difference in the packets from the ASA and the routers is that the ASA netflow packets are "records" whereas all the routers send netflow "flows". Why the difference? Can I get the ASA to send "flows". If no - might there be some way for Solar Winds to be able to process ASA netflow records? Thanks.
09-30-2010 01:23 PM
Hello.
The ASA supports the new netflow v9 nsel and it doesnt function like your normal router netflow. What you are seeing is correct as we will generate a netflow data record for connections that are building or being torn down. There are a few other events as well.
Please check out this doc as it will provide more information on the nsel netflow v9 . Your collector must support the cisco ASA firewall. I believe there is a version of the solarwinds that does have this support. There are not many collectors that do support it so you will need to check.
please check out:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/monitor_nsel.html
thanks,
scott
09-30-2010 01:32 PM
According to Solar Winds
Which versions of NetFlow does Orion NetFlow Traffic Analyzer support?
Orion NetFlow Traffic Analyzer can collect data from all devices that support NetFlow v5, NetFlow v9, sFlow, or J-Flow. NetFlow v9 devices are supported using NetFlow v5 data formats.
Can Orion NTA analyze NetFlow from Cisco ASA devices?
Yes, Orion NTA supports all Cisco Adaptive Security Appliance (ASA) models.
Not sure what Netflow v9 devices are supported using v5 data formats. ??
http://www.solarwinds.com/products/orion/nta/faq.aspx
Thank you.
Michael
09-30-2010 01:38 PM
Hi Michael,
Looks good. Your solarwinds should be able to interpret the nsel v9 being sent by the ASA. You mentioned you received records, so it sounds like its working. As for seeing the same info as you saw on your router, the nsel is different and wont be able to provide the same type of data.
thanks,
scott
09-30-2010 01:39 PM
It could be that I have 3.5 Netflow TA and they are up to 3.7. Downloading now...
09-30-2010 03:25 PM
I upgraded solar winds netflow analyzer to 3.7 but it still is not perceiving receipt of the netflow packets from the ASA.
09-30-2010 03:31 PM
So the solarwinds is not seeing any data from the ASA? If that is the case, then you will probably want to run a sniffer trace on the interface going towards the solarwinds to make sure the ASA is sending out the data. If it is sending the data, then you may want to open a case with solarwinds on the data not showing up on the collector.
thanks,
scott
09-30-2010 03:38 PM
Well as I mentioned originally - I ran packet sniffer Wire Shark to verify that yes indeed the packets from the ASA are getting to the Solar Winds server. It's just that they are ver 9 and most of my routers are sending v5 netflow packets.
09-30-2010 03:42 PM
Hi Michael,
it sounds like something on the processing side of the solarwinds if its not showing any traffic from the ASA since you had verified it was sending it via the wireshark earlier. I would probably suggest checking with them if there is some knob or something to turn on.
thanks,
scott
10-01-2010 02:48 AM
Is your Cisco ASA running at least version 8.2 or more recent? This firewall and its NetFlow support have been blogged about extensively on the plixer blog. Also, it might be worth trying a different NetFlow Analyzer like Scrutinizer just to gather more details around the problem.
NetFlows exported by the Cisco ASA. Check out this PDF:
http://www.plixer.com/files/netflow-on-the-asa-11-18-09.pdf
* no export of ToS
* no packet count
* bidirectional flows (reply flow is added to the initiating flow) non rfc 5103 compliant
* no active timeout
* no TCP flags
I would consider testing the issue with another NetFlow Analyzer.
10-01-2010 09:17 AM
Well having spent $$ on Solar Winds Netflow TA - they gotta just make it work. They claim it supports ASA and netflow 9 so it's on them.
We're running 8.2(1)11 btw.
10-05-2010 05:08 PM
Hi Michael,
Our product manager posted a new Cisco ASA video today:
http://media.plixer.com/screencasts/scrutV7ASA/scrutV7ASA/scrutV7ASA.html
Perhaps it will help our friends at solarwinds.
Warm Regards,
Jake
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide