Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
751
Views
0
Helpful
0
Replies

Netflow problem with transparent ASA.

Dikkia
Level 1
Level 1

‎02-18-2019 06:00 AM - edited ‎02-21-2020 08:49 AM

Hi all,

i'm facing a weird problem with asa5520x  (Version 9.6(4)10 ) in TRANSPARENT mode and Netlow collector (manage engine ).

I had to move the configuration of my transparent firewall from vlan mode  to subinterface with  portchannel.

Since then i receive no flow for the subinterface and/or etherchannel interface ( i receive flows for phisical port insted )

i wrote to manageengine and they say there is no particular conf on their software...and i should be able to see all the traffic if the ASA is correctly configured.

 

ASA is sending flows for other interface ( phisical and for the management )so  everithing is ok from the configuration point of view.

Manageengine said  that if i don't see the subinterface traffic...it means  ASA do not send flows for that specific traffic.

As far as i know..asa Netflow is supported by ASA in transparent mode....but i could be wrong.

 

any suggestion about this issue?

  

the asa conf is quite straighford....

 

flow-export destination MANAGEMENT 10.74.2.214 9996
flow-export template timeout-rate 1
flow-export delay flow-create 60
flow-export active refresh-interval 2

 

 

 

 

interface GigabitEthernet0/2
 description to cus-st0 Gi1/0/30
 channel-group 1 mode active
 no nameif
 no security-level
!
interface GigabitEthernet0/3
 description to cus-st0 Gi2/0/30
 channel-group 1 mode active
 no nameif
 no security-level
!
interface GigabitEthernet0/4
 description to cus-st0 Gi1/0/32
 channel-group 2 mode active
 no nameif
 no security-level
!
interface GigabitEthernet0/5
 description to cus-st0 Gi2/0/32
 channel-group 2 mode active
 no nameif
 no security-level


interface Management0/0
 management-only
 nameif MANAGEMENT
 security-level 50
 ip address 10.74.32.10 255.255.248.0 standby 10.74.32.11
!
interface BVI2
 ip address 10.48.92.189 255.255.255.240
!
interface Port-channel1
 nameif Inside-PortChannel
 bridge-group 2
 security-level 100
!
interface Port-channel1.70
 vlan 70
 nameif Inside-Lan
 bridge-group 2
 security-level 100
!
interface Port-channel2
 lacp max-bundle 8
 nameif Outside-PortChannel
 bridge-group 2
 security-level 0
!
interface Port-channel2.960
 vlan 960
 nameif Outside-Voda
 bridge-group 2
 security-level 0

 

 

 

 

class-map global-class
 match access-list global_mpc
class-map BGP_peering
 match any
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  no tcp-inspection
policy-map global_policy
 description regola per peering BGP
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
 class global-class
  flow-export event-type all destination 10.74.2.214


 class BGP_peering
  set connection random-sequence-number disable
!
service-policy global_policy global

 

 

 

 

0 Helpful
0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card