This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Issue recieving Routed Netflow data from Cisco router to ASA to inside interface

This is a complex issue so I appologize if it sounds confuzing. We initially tried to enable netflow on our ASA 5510 but realized that the ASA does not support version 5 netflow. So we turned to our Cisco 2800 router.

Diagram:

Inside Interface ------ ASA ------- Outside Interface ------ Cisco Router

192.168.200.1 ------- ASA -------- 10.100.12.5 ------- 10.100.12.1

Note: these IP's are fake

Issue: Basically, since the ASA does not provide version 5 netflow we decided to use the Cisco 2800 series router to provide the netflow data we need. The issue is the router is on the outside interface of our firewall. So I made an Access rule to allow netflow data from the router to the outside interface of the ASA.

Source IP - 10.100.12.1, Destination IP - 10.100.12.5 on port 2055

The inside network already has access to the outside interface

- I try to setup a new device on the Real Netflow Analyzer for IP 10.100.12.5 (ASA outside interface) but the connection fails.

- I try to setup a new device on the Real Netflow Analyzer for IP 192.168.200.1 (ASA inside interface) and the connection works but when I try to start a flow capture it gives me an error. "Netflow is not detected on the selected interface". I picked the outside interface.

- I try to setup a new device on the Real Netflow Analyzer for IP 10.100.12.1 (Cisco Router) but my ISP will not give me the SNMP community string to access the router. They said I should be able to access the netflow data from my outside interface (this is where they routed the data).

Question: Am I going about this the right way? I have a feeling that the only way it will work is if our ISP gives up the community string and allows us to collect the netflow data directly from the router. Could it be that the outside interface should work and we have an incorrect setting?

Things I know: our ISP confirmed that the netflow data is being exported. I am also able to ping the ISP router from the server that is collecting the data.

  • Additional note: I was requested by Cisco Tac to post this. I am currently working on this issue with them but they wanted me to verify if my configuration was correct for Real Netflow Analyzer. It seems to me that the majority of the configuration is in Cisco's hands not SolarWinds since all you really need is the IP address and the SNMP community string of the device your polling.

    Thanks!

  • Hi cavemancan,

    It sounds like the 2800 is managed by the ISP. If so, there is probably a larger issue of getting them to turn on the netflow exporter and point the data at your NTA server. Has this part been addressed?

    Andy

  • Correct the 2800 is managed by my ISP. The issue was not getting them to export the netflow as you can see below...

     

    CISCO#sh ip flow export
    Flow export v5 is enabled for main cache
      Export source and destination details :
      VRF ID : Default
        Source(1)      HIDDEN (GigabitEthernet0/0)
        Destination(1)  HIDDEN (2055)
      Version 5 flow records
      618151 flows exported in 20611 udp datagrams
      0 flows failed due to lack of export packet
      0 export packets were sent up to process level
      0 export packets were dropped due to no fib
      0 export packets were dropped due to adjacency issues
      0 export packets were dropped due to fragmentation failures
      0 export packets were dropped due to encapsulation fixup failures

    My ISP sent me this to confirm that they are exporting the netflow so I have no doubt it's being done. The data is being routed to the outside interface of my ASA but all this is explained in detail above.

    Thanks!

  • - I try to setup a new device on the Real Netflow Analyzer for IP 10.100.12.5 (ASA outside interface) but the connection fails.

    When you say the connection fails, does this mean you can't ping that outside interface and therefore can't add it to Orion NPM.  If so, is it really reachable from the inside network?

    Also, can you verify on the ASA that you are receiving NetFlow packets on port 2055 on that outside interface?