Hi all,
i'm facing a weird problem with asa5520x (Version 9.6(4)10 ) in TRANSPARENT mode and Netlow collector (manage engine ).
I had to move the configuration of my transparent firewall from vlan mode to subinterface with portchannel.
Since then i receive no flow for the subinterface and/or etherchannel interface ( i receive flows for phisical port insted )
i wrote to manageengine and they say there is no particular conf on their software...and i should be able to see all the traffic if the ASA is correctly configured.
ASA is sending flows for other interface ( phisical and for the management )so everithing is ok from the configuration point of view.
Manageengine said that if i don't see the subinterface traffic...it means ASA do not send flows for that specific traffic.
As far as i know..asa Netflow is supported by ASA in transparent mode....but i could be wrong.
any suggestion about this issue?
the asa conf is quite straighford....
flow-export destination MANAGEMENT 10.74.2.214 9996
flow-export template timeout-rate 1
flow-export delay flow-create 60
flow-export active refresh-interval 2
interface GigabitEthernet0/2
description to cus-st0 Gi1/0/30
channel-group 1 mode active
no nameif
no security-level
!
interface GigabitEthernet0/3
description to cus-st0 Gi2/0/30
channel-group 1 mode active
no nameif
no security-level
!
interface GigabitEthernet0/4
description to cus-st0 Gi1/0/32
channel-group 2 mode active
no nameif
no security-level
!
interface GigabitEthernet0/5
description to cus-st0 Gi2/0/32
channel-group 2 mode active
no nameif
no security-level
interface Management0/0
management-only
nameif MANAGEMENT
security-level 50
ip address 10.74.32.10 255.255.248.0 standby 10.74.32.11
!
interface BVI2
ip address 10.48.92.189 255.255.255.240
!
interface Port-channel1
nameif Inside-PortChannel
bridge-group 2
security-level 100
!
interface Port-channel1.70
vlan 70
nameif Inside-Lan
bridge-group 2
security-level 100
!
interface Port-channel2
lacp max-bundle 8
nameif Outside-PortChannel
bridge-group 2
security-level 0
!
interface Port-channel2.960
vlan 960
nameif Outside-Voda
bridge-group 2
security-level 0
class-map global-class
match access-list global_mpc
class-map BGP_peering
match any
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
no tcp-inspection
policy-map global_policy
description regola per peering BGP
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class global-class
flow-export event-type all destination 10.74.2.214
class BGP_peering
set connection random-sequence-number disable
!
service-policy global_policy global