07-27-2023 05:44 AM
Hello,
FTD & FMC 7.3
I am setting up Netflow and decided to use a physical interface for this process. The help section says an interface can belong to only one security zone. However, can multiple interfaces belong to the same zone Inside in my case? I'm getting an error to many interfaces in security zone / interface group.
Thanks,
07-27-2023 10:13 AM
07-27-2023 10:29 AM
As noted in the linked article, we generally setup Netflow records to be exported from the management interface.
07-27-2023 10:30 AM
Yes as share link, I think his issue is he is using INside not Mgmt.
hope this link help him
thanks
07-27-2023 10:40 AM
To confirm you are referring to the management IP address that I have configured under the device tab of said FTD, I tried that address and wasn't successful for some reason. Under interfaces themselves, there's a box for enabled and management, but management is grayed out, so I wanted to make sure you're not talking about enabling that under a physical interface. I will review the article, as maybe I missed something.
08-01-2023 07:34 AM
I setup my diagnostic interface as management and gave it an IP address that falls under the management subnet. Flexconfig took the commands, so I believe I'm all set. How can I confirm flows are being sent, though, as I'm not seeing anything at the collector yet? I tried setting up a packet capture on the FTD CLI to the management interface using any command, but nothing is being sent.
08-08-2023 10:52 AM
@Marvin Rhoads , or @MHM Cisco World
When I run the command "show flow-export counters," this number does increase, yet when I use wireshark on the collector, nothing from this FTD appears. I have setup ASP drop captures, and nothing was found there as well. Is there a way to validate that flows are being sent outside of this counter? Like I previously mentioned, when I setup a packet capture on the MGT interface, there were no packets. I can ping the collector from FTD CLI, so I'm not sure what else I can look at.
Thanks
08-10-2023 10:03 AM
When you ping the collector from the FTD cli did you use "ping system"?
08-10-2023 11:08 AM
Hi Marvin,
Thanks for the suggestion, as I did not know about this command. I ran the ping this way, and it was successful. However, on the collector, I was running wireshark and noticed that the source was the MGT IP found under the device tab of that FTD. Per that document, MHM posted I took my diagnostic interface and labeled it management and gave it an IP address inside the same subnet found under my device tab's management's space. If I go into the diagnostic CLI on the FTD and try to source my pings from the management interface that I setup under the diagnostic interface to the collector, it fails. I assume that I must create a rule for this traffic but wasn't sure as there's no mention of it in that document nor Cisco's official documentation.
08-10-2023 11:19 AM
I ran a packet capture looking for ASP drops and ran a ping inside the diagnostic CLI sourcing from my new management IP to my collector and the asp output is the following. I don't know what that is yet but assuming something with routing.
1: 18:15:29.120187 10.80.5.10 > 10.93.200.36 icmp: echo request Drop-reason: (no-adjacency) No valid adjacency, Drop-location: frame 0x000000aaacd9bccc flow (NA)/NA
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide