Hi
ASA5520 with asa821-k8.bin is supported by Netflow v3.1
To close the look on ASA , NTA 3.5 does function with ASAs running 8.2+.
See
Debug log
2009-05-19 15:29:01,893 [STP SmartThreadPool Thread #56] WARN SolarWinds.Orion.NetFlow.Workflow.PacketProcessingWorkflow - Failed to parse packet from IP 10.80.80.199.2009-05-19 15:29:01,940 [STP SmartThreadPool Thread #56] WARN SolarWinds.Orion.NetFlow.V9PacketFactory - Packet was dropped because of invalid template id: 2632009-05-19 15:29:01,940 [STP SmartThreadPool Thread #56] WARN SolarWinds.Orion.NetFlow.Workflow.PacketProcessingWorkflow - Failed to parse packet from IP 10.80.80.199.2009-05-19 15:29:01,940 [STP SmartThreadPool Thread #54] WARN SolarWinds.Orion.NetFlow.V9PacketFactory - Packet was dropped because of invalid template id: 256
Hi,
if you want to netflow be able process data from Netflow-V9, than the template must contains following fields (according RFC).
(ID // RFC name)
1 // octetDeltaCount, 2 // packetDeltaCount, 4 // protocolIdentifier, 5 // ipClassOfService7 // sourceTransportPort8 // sourceIPv4Address10 // ingressInterface11 // destinationTransportPort12 // destinationIPv4Address14 // egressInterface
If one item is missing, than the template is invalid for our collector and we drop all packets which belongs to this template. So you need to set up router to export all these fields.
NTA 3.1 don't work with Cisco ASA
So you are not able to set up these fields for your templates or there is some other issue? If you know that you have all these fields in your templates and you are still not able collect data, can you please send me some short pcap from this device? I can check it. (I need template definition there)
Thanks, ET
NetFlow on the ASA is a strange implementation. Do you have it configured to export upon NSEL defined events?
Has anyone confirmed that the ASA's (5505, 5520, 5580) can succesfully export Netflow data to the Orion NTA collector for analysis?
For this moment ASA is working with NSEL Cisco Mars 6.0.3
ASA doesn't work with NTA 3.1
Is this still the case?
We have an ASA 5510 with IOS 8.2(1). I am trying to get the ASA to work with NTA but I need to verify that NTA is compatible with Netflow v9 before I try to configure the firewall. This is our production firewall so I don't want to make any changes unless I am certain it will work.
Please advise...
Yes - The ASA's do a security NetFlow export, not a traffic analysis export so we can't read it.
Andy,
We have a tact contract with Cisco and I've been in contact with them. They said the following:
I’ve been doing some more research, the NSEL is pretty specific and may not be compatible with 3rd party collectors.. NSEL exports ASA specific fields that cannot be interpreted by standardNetFlow collector(s). But the messaging is NetFlow v9 protocolcompliant.The ASA only supports NetFlow version 9. Unlike routing platforms we do not send incremental updates; NSEL records are only sent during flow creation, teardown or ACL deny events. This is an issue as many customers expect to see flow information in real time, unfortunately this is not how NetFlow operates on the ASA.So it looks like from the notes above, that solarwinds may not be able to interpret the data. You may have to look at using a Cisco collector for the asa netflow traffic.. Thanks,Scott
In a nutshell the ASA line uses Flexible NetFlow (FNF). It is on our road map but not supported today.
