12-06-2012 06:06 AM - edited 03-11-2019 05:33 PM
I am currently testing Netflow accuracy on my Solarwinds platform. So I have been transferring a large file across an ASA 5520, which is set up to send Netflow data to out Solarwinds server.
The problem is that the Netflow data does not show up on Solarwinds for about 2.5 hours. Once it gets there the size is correct, but the time stamp on Solarwinds is 2.5 hours behind when the transfer happened. For routers it is showing up within a few minutes.
Has anyone every come across this issue ?
ASA is running 8.2(5) and Solarwinds NTA 3.9.0. Firewall and Solarwinds times / timezones are the same.
12-06-2012 10:03 AM
Hello Richard,
Can you share the ASA config,
We also will need to create a few captures
Julio
12-07-2012 02:04 AM
I don't think it is the firewall as such.
If I download an IOS image from Cisco through the firewall, it shows on SW in about 5 minutes.
The flows I am having trouble with are file copies to a mapped drive, I am wondering if the firewall thinks the flow is active as I still have a drive mapping.
I tried it again and removed the mapping and disconnected the LAN cable, this time the flow showed in about 1 hour.
Today I will try and FTP the files to see if that works any better.
12-10-2012 01:09 AM
Thanks for this. I will consider upgrading the firmware, but this is a test lab Firewall and is already a version or 2 ahead of our prouction Firewalls. I did not want to take it even further ahead, although I might do just to test and see if the problem goes away.
12-08-2012 05:42 PM
Hi Richard,
Yes, I've seen flows take longer than 2.5 hours to be exported if that is how long the transfer takes. Until recently the ASA firmware including v8.2(5) didn't support active timeout. The active timeout exports the status of the flow (i.e. delta bytes) every 60 seconds. I suggest you consider upgrading to v8.4(5) to take advantage of the new biflows and the active timeout fix. With the right reporting solution, you will notice more accurate trends with v8.4(5) as the in/out flows are no longer added together.
There is a Cisco ASA webcast on Dec 13th that discusses this exact issue. Please vote on my post if it helps answer your question.
Best Regards,
Jake Wilson
12-09-2012 08:53 AM
Jake,
Could you comment on the issue reported in the SolarWinds Thwack community about ASA 8.4(5) having issues with NTA due to the flow template format?
Reference: http://thwack.solarwinds.com/message/186323#186323
12-16-2012 02:04 PM
Hi Marvin,
I work for Plixer. I don't think Solarwinds wants me on their forum.
Jake Wilson
12-16-2012 03:53 PM
Hi Jake,
Yes I sort of got the sense that you were connected with Plixer from your earlier post.
I was actually just soliciting your input (here) regarding whether has changed their flow template with ASA 8.4 and if you have any specific experience to share with respect to that.
Best regards,
- Marvin
12-18-2012 04:19 PM
Sorry I missunderstood. Prior to 8.4(5) they exported only the octetTotalCount which included both the in and out byte values. I hope I'm answering your question.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide