cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1349
Views
0
Helpful
8
Replies

Cisco ASA Netflow traffic delayed to Solar Winds

Richard Tapp
Beginner
Beginner

I am currently testing Netflow accuracy on my Solarwinds platform. So I have been transferring a large file across an ASA 5520, which is set up to send Netflow data to out Solarwinds server.

The problem is that the Netflow data does not show up on Solarwinds for about 2.5 hours. Once it gets there the size is correct, but the time stamp on Solarwinds is 2.5 hours behind when the transfer happened. For routers it is showing up within a few minutes.

Has anyone every come across this issue ?

ASA is running 8.2(5) and Solarwinds NTA 3.9.0. Firewall and Solarwinds times / timezones are the same.

8 Replies 8

Julio Carvajal
Advisor
Advisor

Hello Richard,

Can you share the ASA config,

We also will need to create a few captures

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

I don't think it is the firewall as such.

If I download an IOS image from Cisco through the firewall, it shows on SW in about 5 minutes.

The flows I am having trouble with are file copies to a mapped drive, I am wondering if the firewall thinks the flow is active as I still have a drive mapping.

I tried it again and removed the mapping and disconnected the LAN cable, this time the flow showed in about 1 hour.

Today I will try and FTP the files to see if that works any better.

Thanks for this. I will consider upgrading the firmware, but this is a test lab Firewall and is already a version or 2 ahead of our prouction Firewalls. I did not want to take it even further ahead, although I might do just to test and see if the problem goes away.

jakewilson
Beginner
Beginner

Hi Richard,

Yes, I've seen flows take longer than 2.5 hours to be exported if that is how long the transfer takes.  Until recently the ASA firmware including v8.2(5) didn't support active timeout.  The active timeout exports the status of the flow (i.e. delta bytes) every 60 seconds. I suggest you consider upgrading to v8.4(5) to take advantage of the new biflows and the active timeout fix. With the right reporting solution, you will notice more accurate trends with v8.4(5) as the in/out flows are no longer added together.

There is a Cisco ASA webcast on Dec 13th that discusses this exact issue. Please vote on my post if it helps answer your question. 

Best Regards,

Jake Wilson

NetFlow Knight

Jake,

Could you comment on the issue reported in the SolarWinds Thwack community about ASA 8.4(5) having issues with NTA due to the flow template format?

Reference: http://thwack.solarwinds.com/message/186323#186323

Hi Marvin,

I work for Plixer.  I don't think Solarwinds wants me on their forum. 

Jake Wilson

NetFlow Knight

Hi Jake,

Yes I sort of got the sense that you were connected with Plixer from your earlier post.

I was actually just soliciting your input (here) regarding whether has changed their flow template with ASA 8.4 and if you have any specific experience to share with respect to that.

Best regards,

- Marvin

Sorry I missunderstood.  Prior to 8.4(5) they exported only the octetTotalCount which included both the in and out byte values.  I hope I'm answering your question.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers