cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1667
Views
0
Helpful
1
Replies

ASA 5520 Netflow packets don't contain byte data

tima262626
Level 1
Level 1

Hi

Please can you help.

We've got a Netflow log collector and since we've upgraded an ASA 5520 from 8.12 to 9.1(2) it has stopped sending the field "IN_PERMANENT_BYTES".

Does anyone have any idea how to re-add a byte or packet count field to the Netflow output packet ? It's running ASDM version 7.1(3) & is set to send All Flow Event Types.

 

Many thanks

1 Reply 1

Allan
Level 1
Level 1

Hi,

I had a similar question put through to Cisco and got the following back:

-----------------------------------------------------------------------------------------------------------------------------------

After customers upgrade their ASA to 8.4.5 customers might notice that their netflow collectors fail to interpret the events from ASA.

 

An example error for Solarwinds NTA is:

 

NetFlow exports from the Asa cannot be processed by Solarwinds NTA. The error is as follows:
NetFlow Receiver Service [SECUOMNF01] received an invalid V9 template with ID from device

 

Explanation:

 

The reason for this is the changes made to the ASA netflow export capability in the 8.4.5 code. Information about the same is detailed in the following ASApedia article: NetflowEbay

 

Basically there was a new capability added to the flow export capability by the introduction of a new periodic flow-update event to provide periodic delta byte counters over the duration of a flow. Prior to the enhancement byte counters were reported only in the flow-creation and flow-teardown records, with an aggregate counter for both the forward and reverse flows. This enhancement is meant to replace the aggregate counter with separate forward and reverse flow byte counters to allow customers to examine the directionality of byte flow.

 

Please note this is not a problem on the ASA, but collector side code needs to be modified to understand the new changes that were made in the ASA flow export capability.

 

The enhancement is noted in the ASA release notes for 8.4.5 as well:

http://www.cisco.com/en/US/docs/security/asa/asa84/release/notes/asarn84.html#wp591970

 

Resolution:

 

Nothing from our side, customer needs to contact the collector support and get a version which supports the ASA side changes.

 

The same has been acknowledged and fixed by multiple vendors:

 

Solarwinds: http://thwack.solarwinds.com/thread/52901 (HotFix 3 for NTA 3.10)

Plixer: http://www.plixer.com/blog/ipfix-2/cisco-asa-8-45-netflow-support/ (Scrutinizer version 10.1)

ManageEngine: http://blogs.manageengine.com/2012/12/03/cisco-asa-8-45-and-above-netflow-updates/ (Patch for NetFlow Analyzer 9.7 Build 9700)

 

 

New fields 231 (initiatorOctets) and 232 (responderOctets) will replace

field 85 (IN_PERMANENT_BYTES) along with real-time flow update support in

8.4(5) and later software. However, it may take a bit for third-party Netflow

Collectors to pick up these new fields as they come from IPFIX rather than

legacy Netflow V9 world.

----------------------------------------------------------------------------------------------------------------------------------

Kind Regards,

Allan

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: