Solved: Flow-Export problem

Steven Williams · ‎06-12-2013

I have followed this document for configuring my ASA5525-X running 9.1 for netflow export:

http://www.draware.dk/fileadmin/SolarWinds/Guide/How_to_configure_Netflow_on_a_Cisco_ASA.pdf

Cant seem to get it to work though. I see the counter increasing, I see the ACL hit count going up, but my server is not getting into.

When I run a packet trace from my ASA to my Solarwinds server it says denied by an implicit deny.

What is the difference between the ACL Manager and Access Rules in ASDM?

Favaloro. · ‎06-13-2013

Try to clear the counters of the "flow-export" output by running the "clear flow-export counters" command and then collect the output of the "show flow-export counters" five minutes after the clearing.

Share the output with us.

View solution in original post

Favaloro. · ‎06-13-2013

Just to be sure, let's try to get a packet capture and confirm that the Netflow information from the ASA is arriving to the server.

What's the Netflow collector application you are using?

View solution in original post

julomban · ‎06-12-2013

Hello,

The packet tracer is for traffic going across the ASA not to or from the ASA itself.

ACL manager shows all the ACL's configured on the ASA (VPN, NAT, AAA, etc) and Access Rules shows only the ACL's applied to the interfaces.

Regards,

Juan Lombana

Please rate helpful posts.

Steven Williams · ‎06-13-2013

ATIASA5525-01# show run | inc flow

access-list flow-export-acl extended permit ip any any

flow-export destination inside 10.170.5.80 2055

flow-export template timeout-rate 5

flow-export delay flow-create 60

class-map flow-export-class

match access-list flow-export-acl

class flow-export-class

flow-export event-type all destination 10.170.5.80

ATIASA5525-01#

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

class flow-export-class

flow-export event-type all destination 10.170.5.80 policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
class flow-export-class
flow-export event-type all destination 10.170.5.80

Anyone see any reason why this wouldnet work? If more clips of the running config is needed, let me know.

Favaloro. · ‎06-13-2013

Try to clear the counters of the "flow-export" output by running the "clear flow-export counters" command and then collect the output of the "show flow-export counters" five minutes after the clearing.

Share the output with us.

Steven Williams · ‎06-13-2013

This is about 30 minutes as I got caught up doing other things.

destination: inside 10.170.5.80 2055
Statistics:
    packets sent                                             6891
Errors:
    block allocation failure                                    0
    invalid interface                                           0
    template send failure                                       0
    no route to collector                                       0
    source port allocation failure                              0

ATIASA5525-01#

Favaloro. · ‎06-13-2013

Can you confirm the Netflow collector is actively listening on port 2055?

Can you confirm the packets are making it to the server?

Is the ASA the only device reporting to that same server? If not, are the other devices having issues with it?

Remember, the ASA works with Netflow v9 only.

Steven Williams · ‎06-13-2013

I have about 7 riverbeds exporting just fine to it on port 2055. I also have a 3845 exporting to it. All devices are fine. Just seems to be the ASA. From the asa I can ping the netflow server, and vice versa.

Favaloro. · ‎06-13-2013

Just to be sure, let's try to get a packet capture and confirm that the Netflow information from the ASA is arriving to the server.

What's the Netflow collector application you are using?

Steven Williams · ‎06-14-2013

Using Solarwinds NTA

What protocol of traffic should I be seeing from the ASA to the Netflow Collector?

I see syslog, SNMP, and Cflow traffic.

Steven Williams · ‎06-14-2013

UGH! Solarwinds NTA issue, hotfix#3 for version 3.10.0 fixes the issue for ASA OS 8.4 and higher.