cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2173
Views
0
Helpful
2
Replies

CSM 4.4sp1 netflow configuration for ASA

Michel Pedersen
Level 1
Level 1

Hi,

We are running Cisco Security Manager 4.4 service pack 1 and our ASA's are all running 9.0.2/9.1.1

I've hit a problem with export to netflow from my ASA firewalls configured through CSM.

We configure the netflow export under platform/logging and enable flow export. Looking at the "show flow-export counters" on the ASA very few flows are exported however and no netflow shows up in our netflow analyzer.

Looking at the deployment this is what is deployed (for netflow):

! COMMENT: Bulk request written; reading response...

Line# 2. (SUCCESS) Sent (Fri Jun 07 08:50:05 CEST 2013): flow-export template timeout-rate 1

Received (Fri Jun 07 08:50:05 CEST 2013):

Line# 3. (SUCCESS) Sent (Fri Jun 07 08:50:05 CEST 2013): flow-export destination outside 146.2.217.125 19996

Received (Fri Jun 07 08:50:05 CEST 2013):

Line# 4. (SUCCESS) Sent (Fri Jun 07 08:50:05 CEST 2013): flow-export delay flow-create 60

As I understand it I need to match what traffic to export to netflow which is setup as a service policy rule. I cannot find any option to export to netflow under the service policy rules however (only IPS,CXSC, Connection Settings, QoS, CSC, User statistics and Scansafe).

I configured a flexconfig to append to the configuration and this seems to export the data until the next time a policy is pushed. The configuration changes done by the flexconfig are then removed from the ASA and netflow stops working.

My flexconfig (append) looks like this:

access-list netflow-hosts extended permit ip any any

class-map NetFlow-traffic

  match access-list netflow-hosts

policy-map global_policy

class NetFlow-traffic

  flow-export event-type all destination X.X.X.X

Have anybody found a way to get netflow export work correctly when configured using CSM?

-Michel

2 Replies 2

wkho
Level 1
Level 1

Try adding in the following line under flexconfig with the rest of your netflow configurations.

flow-export template timeout-rate 1

      

These are my flexconfig on my firewalls using CSM:

access-list global_mpc extended permit ip any any

class-map global-class

match access-list global_mpc

policy-map global_policy

class global-class

  flow-export event-type all destination x.x.x.x

flow-export template timeout-rate 1

We just upgraded to CSM 4.5 and I have verified that Netflow configuration is now fully supported there so no need to use a flexconfig to make it work anymore. In CSM 4.5 we can finally specify a service policy to match the netflow traffic.

Case closed for us :-)

-Michel

Review Cisco Networking for a $25 gift card