06-07-2013 01:55 AM - edited 02-21-2020 04:54 AM
Hi,
We are running Cisco Security Manager 4.4 service pack 1 and our ASA's are all running 9.0.2/9.1.1
I've hit a problem with export to netflow from my ASA firewalls configured through CSM.
We configure the netflow export under platform/logging and enable flow export. Looking at the "show flow-export counters" on the ASA very few flows are exported however and no netflow shows up in our netflow analyzer.
Looking at the deployment this is what is deployed (for netflow):
! COMMENT: Bulk request written; reading response...
Line# 2. (SUCCESS) Sent (Fri Jun 07 08:50:05 CEST 2013): flow-export template timeout-rate 1
Received (Fri Jun 07 08:50:05 CEST 2013):
Line# 3. (SUCCESS) Sent (Fri Jun 07 08:50:05 CEST 2013): flow-export destination outside 146.2.217.125 19996
Received (Fri Jun 07 08:50:05 CEST 2013):
Line# 4. (SUCCESS) Sent (Fri Jun 07 08:50:05 CEST 2013): flow-export delay flow-create 60
As I understand it I need to match what traffic to export to netflow which is setup as a service policy rule. I cannot find any option to export to netflow under the service policy rules however (only IPS,CXSC, Connection Settings, QoS, CSC, User statistics and Scansafe).
I configured a flexconfig to append to the configuration and this seems to export the data until the next time a policy is pushed. The configuration changes done by the flexconfig are then removed from the ASA and netflow stops working.
My flexconfig (append) looks like this:
access-list netflow-hosts extended permit ip any any
class-map NetFlow-traffic
match access-list netflow-hosts
policy-map global_policy
class NetFlow-traffic
flow-export event-type all destination X.X.X.X
Have anybody found a way to get netflow export work correctly when configured using CSM?
-Michel
11-26-2013 08:00 AM
Try adding in the following line under flexconfig with the rest of your netflow configurations.
flow-export template timeout-rate 1
These are my flexconfig on my firewalls using CSM:
access-list global_mpc extended permit ip any any
class-map global-class
match access-list global_mpc
policy-map global_policy
class global-class
flow-export event-type all destination x.x.x.x
flow-export template timeout-rate 1
11-26-2013 08:45 AM
We just upgraded to CSM 4.5 and I have verified that Netflow configuration is now fully supported there so no need to use a flexconfig to make it work anymore. In CSM 4.5 we can finally specify a service policy to match the netflow traffic.
Case closed for us :-)
-Michel
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide