Solved: Re: Stealthwatch display a not existing IP address

Marco Noviello · ‎12-11-2019

Hi,

I'm new in stealthwatch so I don not if this is a normal behavior.

Stealthwatch report an peer IP address that do not exist.

The NetFlow sensor is a cisco ASA. The packet tracer on ASA do not report any communication with the

IP address dsiplayed by stealthwatch.

Waht is wrong ?

There is a way to deeper analys this behaivor?

Regards

Marco

kyoshiik · ‎12-12-2019

Do you configure connection log for that session correctly in ASA?

I expect if Stealthwatch doesn’t have a log and ASA has a log of same session, it related to NetFlow missing issue because it’s UDP traffic. But this case is vice versa. Stealthwatch stitches before/after NAT IP with NSEL from ASA. Please double check log and configuration. If you still see same issue, I recommend to open case for troubleshooting.

View solution in original post

Marco Noviello · ‎12-12-2019

TAC open

View solution in original post

kyoshiik · ‎12-12-2019

Do you configure connection log for that session correctly in ASA?

I expect if Stealthwatch doesn’t have a log and ASA has a log of same session, it related to NetFlow missing issue because it’s UDP traffic. But this case is vice versa. Stealthwatch stitches before/after NAT IP with NSEL from ASA. Please double check log and configuration. If you still see same issue, I recommend to open case for troubleshooting.

Marco Noviello · ‎12-12-2019

TAC open