06-13-2014 08:37 AM - edited 03-03-2019 07:27 AM
Hi
Please can you help.
We've got a Netflow log collector and since we've upgraded an ASA 5520 from 8.12 to 9.1(2) it has stopped sending the field "IN_PERMANENT_BYTES".
Does anyone have any idea how to re-add a byte or packet count field to the Netflow output packet ? It's running ASDM version 7.1(3) & is set to send All Flow Event Types.
Many thanks
10-30-2014 04:35 AM
Hi,
I had a similar question put through to Cisco and got the following back:
-----------------------------------------------------------------------------------------------------------------------------------
After customers upgrade their ASA to 8.4.5 customers might notice that their netflow collectors fail to interpret the events from ASA.
An example error for Solarwinds NTA is:
NetFlow exports from the Asa cannot be processed by Solarwinds NTA. The error is as follows:
NetFlow Receiver Service [SECUOMNF01] received an invalid V9 template with ID from device
Explanation:
The reason for this is the changes made to the ASA netflow export capability in the 8.4.5 code. Information about the same is detailed in the following ASApedia article: NetflowEbay
Basically there was a new capability added to the flow export capability by the introduction of a new periodic flow-update event to provide periodic delta byte counters over the duration of a flow. Prior to the enhancement byte counters were reported only in the flow-creation and flow-teardown records, with an aggregate counter for both the forward and reverse flows. This enhancement is meant to replace the aggregate counter with separate forward and reverse flow byte counters to allow customers to examine the directionality of byte flow.
Please note this is not a problem on the ASA, but collector side code needs to be modified to understand the new changes that were made in the ASA flow export capability.
The enhancement is noted in the ASA release notes for 8.4.5 as well:
http://www.cisco.com/en/US/docs/security/asa/asa84/release/notes/asarn84.html#wp591970
Resolution:
Nothing from our side, customer needs to contact the collector support and get a version which supports the ASA side changes.
The same has been acknowledged and fixed by multiple vendors:
Solarwinds: http://thwack.solarwinds.com/thread/52901 (HotFix 3 for NTA 3.10)
Plixer: http://www.plixer.com/blog/ipfix-2/cisco-asa-8-45-netflow-support/ (Scrutinizer version 10.1)
ManageEngine: http://blogs.manageengine.com/2012/12/03/cisco-asa-8-45-and-above-netflow-updates/ (Patch for NetFlow Analyzer 9.7 Build 9700)
New fields 231 (initiatorOctets) and 232 (responderOctets) will replace
field 85 (IN_PERMANENT_BYTES) along with real-time flow update support in
8.4(5) and later software. However, it may take a bit for third-party Netflow
Collectors to pick up these new fields as they come from IPFIX rather than
legacy Netflow V9 world.
----------------------------------------------------------------------------------------------------------------------------------
Kind Regards,
Allan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide