05-11-2009 07:16 AM - edited 03-11-2019 08:29 AM
I recently updated to ASA code version 8.2, and am trying ti find a utility that can read/interperate the NSEL output, and hopefully give some bandwidth stats. I ahve tried orion, scrutanizer, and advantnet. the first two didnt report anything, and adventnet only reported some IP address, but did not recognize the interface names or give any data bandwidths. It just said index1 and index2 for the interfaces.
05-15-2009 07:35 AM
The adaptive security appliance implementation of NSEL is a stateful, IP flow tracking method that exports only those records that indicate significant events in a flow. In stateful flow tracking, tracked flows go through a series of state changes. NSEL events are used to export data about flow status, and are triggered by the event that caused the state change.
NSEL has the following prerequisites:
â¢IP address and hostname assignments must be unique throughout the NetFlow configuration.
â¢You must have at least one configured collector before you can use NSEL.
â¢You must configure NSEL collectors before you can configure filters via Modular Policy Framework.
05-16-2009 09:43 PM
ok I still dont know what I am supposed to use to read the flow logs/exports. As I have said two of the three I have tried showed absolutely nothing, and the 3rd didnt seem to be able to make much sense of it. Besides MARS, what can I use to read NSEL?
05-20-2009 09:06 AM
For what it is worth, I talked to someone from Netflow Auditor today and they said they should be able to parse this data with Version 4 which comes out in June sometime. I am going to download version 4 and get a trial key when it is available to test this capability.
05-29-2009 10:31 AM
Leave it to Cisco to implement "Netflow" that doesn't work well with any collectors. This is almost as bad as netflow support for the SUP720's.
to get this working as far as exporting you can go here.
http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/monitor.html#wp1109506
Here is the basics of what you need.
flow-export destination
!
class-map netflow_export_class
match any
!
!
policy-map netflow_export_policy
class netflow_export_class
flow-export event-type all destination
!
service-policy netflow_export_policy global
The "match any" and "flow-export event-type all" lines force the export of ALL NSEL events.
Unless you have MARS, your collector probably will get the packets and pull ifindex numbers for the interfaces, both physical and virtual, but you will not get any of the payload data from the netflow packets. I am very disappointed in this revelation, but sadly, not surprised.
06-01-2009 09:37 PM
The NSEL record generated by netflow configuration in 8.2 is based on NetFlow version 9, which as been an RFC since 2004.
06-01-2009 09:38 PM
Any netflow collector that understands NetFlow v9 should be able to collect the netflow data from your ASA.
06-02-2009 03:12 AM
thats the thing- I have tried several that do support V9 and they cant read from the ASA(but they can read from a 1721 exporting in V9 just fine)
06-02-2009 08:42 PM
v9 is pretty straight forward and I know that it can be read in wireshark if you collected packet captures to verify. Is there something specifically that your collector isn't dealing well with? I know I've seen problems where collectors are looking for the bytes in the flow which is ID 1, but that is never sent by the ASA as ID 1 is the number of bytes since the last update. The ASA uses ID 85 which is the total bytes sent.
HTH,
Pete
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide