We have an 1941 that sits outside our ASA5510 as out internet router and the interface facing our ISp is getting flooded with traffic. We have a system inside that processces netflow that we're currently using for our ASA and internal LAN resources. I have set netflow up on the outside interface of the router but cannot get it to send the netflow traffic to our system on the inside. I don't think it's a netflow issue but rather a routing issue. Here is the netflow config on the 1941:
CH-IT-1941#sh ip flow export
Flow export v9 is enabled for main cache
Export source and destination details :
VRF ID : Default
Source(1) 220.127.116.11 (GigabitEthernet0/1)
Destination(1) 10.100.6.48 (2055)
Version 9 flow records
127170218 flows exported in 4392754 udp datagrams
0 flows failed due to lack of export packet
0 export packets were sent up to process level
0 export packets were dropped due to no fib
216 export packets were dropped due to adjacency issues
0 export packets were dropped due to fragmentation failures
0 export packets were dropped due to encapsulation fixup failures
If i undersatnd correctly ASA is coming in between internet router and Netflow collector device. If that is the case have you opened UDP 2055 and UDP 9996 for source and destination in ASA.
Hope it Helps..
I put in place very broad based allow IP for both source and destination in both directions and it doesn't work. I can ping from the server running netflow processing system on inside to the interfqace of the internet router successfully but not the other way round.
As I look at your issue two possibilities occur to me:
- the NetFlow traffic is coming from outside (probably security level 0) to inside (probably security level 100). Normally that traffic would not be allowed. Have you configured specific access list rules to permit this (and applied the access list to the interface)?
- the router destinatino address is in private address space. Do you need a NAT rule for this traffic? Can you tell us about the addressing of the router interface and the ASA outside interface? If the router sends a packet with destination address 10.100.6.48 will the ASA forward that to the inside?
i have similar problem too with my new router 2921.
From last few days i am trying to get the netflow logs from the new router 2921 to my Netflow servers but its not happening, currently ip have flow from c6500 series.
There is one firewall between router and system. can anyone tell me what exact port numbers need to be open on the firewall to get the logs.
internet router (2921)----FW-----c3560----c6500----Netflow server.
i have created ACL permit udp port 161,162,2055,966 on router and open udp that port on the fw by fw team but flow still not hit.
Do you have some tricky to solve this?
As I suggested to the other poster one possible issue may be the addressing of the router interface used to send the NetFlow data. Since it is coming from outside to inside there may need to be an address translation (or a NAT exemption) configured for this traffic. Can your fw team tell you whether this is the case?
And my other suggestion was to be sure that access policy was written to allow this traffic initiated from outside to inside.
If you are not sure about the port numbers being used then I would suggest that your fw team can run a packet capture on the fw (assuming that your fw is ASA).