40 Replies Latest reply on Sep 15, 2009 9:16 AM by swilliams

    Netflow on ASA

      I have cisco ASA 5520 that i recently uprgraded to 8.2.  Im tryiing to setup netflow but NTA 3.5 is giving me this error.

      NetFlow Receiver Service  encountered an invalid V9 template with ID 266 from device X.X.X.X

      NetFlow Receiver Service  encountered an invalid V9 template with ID 267 from device X.X.X.X

      NetFlow Receiver Service  encountered an invalid V9 template with ID 268 from device X.X.X.X

      Just wanted to know what im doing wrong or if its even supported on NTA

        • Re: Netflow on ASA
          Donald_Francis

          As far as I have heard that implementation of netflow is not the usual and Solarwinds currently does not support it.

            • Re: Netflow on ASA

              Is there any plans on future support for this item?

                • Re: Netflow on ASA
                  denny.lecompte

                  The NetFlow on the ASA is using Cisco's flexible netflow feature to send security info with the netFlow protocol.  It is not the same data as a standard NetFlow packet, which is why NTA doesn't recognize it.  What business problem would that data solve for you?

                    • Re: Netflow on ASA
                      Donald_Francis

                      I would like to see it added, I think it could be more effcient and effective then syslog.

                        • Re: Netflow on ASA
                          denny.lecompte

                          I think it could be more effcient and effective then syslog.

                          Can you provide more details?  What are the specific use cases?

                            • Re: Netflow on ASA

                              As i recall netflow was sold to me to allow me to determine my top talkers in the network and help me in future troubleshooting. i have a switch network that is mostly consisted of cisco 3750 and firewall ASA with 8.2.  The sales rep forgot to mention that cisco 3750 is not supported for netflow.  I have one router and a bunch of ASA.......im a little dissaponted on my sale rep for not letting me know about the cisco 3750 not supported for netflow.   Not only that.... if i need to upgrade my network performance monitor i also need to upgrade my netflow license.  I dont think thats right since i only need to monitor so many interfaces on my network. Sorry venting a little but yes i would like this supported especially for people like me who only have a swtich network.

                              • Re: Netflow on ASA
                                Donald_Francis

                                We currently use syslog on our firewalls to log all connections inbound and outbound.  Obviously this is intensive and cumbersome.  Without having tried it via netflow I cannot say for sure but my thought would b doing the same thing through netflow would be cleaner and more effcient.

                                  • Re: Netflow on ASA

                                    I agree with Donald i think it would be a valuable tool to use even though its not actual netflow like routers and switches do. 

                                      • Re: Netflow on ASA
                                        denny.lecompte

                                        I agree with Donald i think it would be a valuable tool to use even though its not actual netflow like routers and switches do. 

                                        We'll certainly consider it.

                                          • Re: Netflow on ASA
                                            lmace711

                                            I also have an ASA 5510 and need Netflow to show me the "top tens" this is very important to my company.

                                            Thanks

                                            L. Mace

                                            PCTS

                                            Network Engineer

                                              • Re: Netflow on ASA
                                                dwiens

                                                Not that it will do much necessarily, but those that want the ASA to do standard NetFlow may want to email their Cisco account reps and put in the feature request with them.  Hopefully they can push it up higher within Cisco.  Or if anyone knows a better way to put in feature requests with them.

                                                  • Re: Netflow on ASA

                                                    I just got off the phone with Cisco support and they informed me that SolarWinds netflow analyzer doesn't support v9 of netflow that is why it won't work on the ASA 55xx

                                                      • Re: Netflow on ASA
                                                        dwiens

                                                        I posted on the Cisco NetPro Forum a question as to whether the ASA would ever support standard NetFlow and provide the same data that NetFlow on routers provides.  Here was there response...

                                                         



                                                        The ASA only supports NetFlow version 9 and there are no plans to support NetFlow version 5. NetFlow on the ASA is event driven. Unlike routing platforms we do not send incremental updates; NSEL records are only sent during flow creation, teardown or ACL deny events. This is an issue as many customers expect to see flow information in real time, unfortunately this is not how NetFlow operates on the ASA. The total bytes transferred can only be seen after the flow is torndown and the NSEL has been generated. Also unlike the routing platforms we will not populate the ToS bits or the TCP flags. Lastly, all flows on the ASA are bidirectional. All counters for a flow will increase for traffic flowing from A->B or B->A.

                                                        Limitations

                                                        * Template refresh records can only be sent based on time intervals, not based on number of data records.
                                                        * NetFlow records can not be seen live on the ASA as data is collected.
                                                        * NetFlow has a significant performance impact, but it should not be any worse than normal syslog operations of the same information. There will be an uptick in memory but it should also be minimal. NetFlow configured with overlapping syslogs can cause a significant performance hit.

                                                        A lot of customers are accustomed to the operations of NetFlow on Cisco Routers and wish to implement NetFlow to see who is using bandwidth on the network. Unfortunately NetFlow on the ASA does not provide the ability to see this data in realtime. The data can be collected after the flow has been terminated and analyzed but we do not support real time viewing of the NetFlow records.

                                                        http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&type=Subscriptions&loc=.2cd43b9f/0&forum=Security&topic=Firewalling

                                                         



                                                        Doesn't sound like the ASA will ever really provide the data we would like to see in realtime.

                                                          • Re: Netflow on ASA
                                                            Donald_Francis

                                                            Thats not too bad. Unless you change the default config Cisco devices only send the flow data once the flow is completed.

                                                            Their post DOES make it sound as if it is also will on top of security data sent traffic info.  This is big news we all here thought it would not.

                                                              • Re: Netflow on ASA
                                                                Donald_Francis

                                                                Also as far as I know SolarWinds supports version 9, I run 9 on my routers and it works fine.

                                                                I think the deal is that the ASA implementation of netflow is a little different and that is what keeps Solarwinds from working with it.

                                                                  • Re: Netflow on ASA
                                                                    Andy McBride

                                                                    Yes - SolarWinds NTA does support NetFlow v9 exports. I don't know why Cisco support would say otherwise.

                                                                      • Re: Netflow on ASA
                                                                        denny.lecompte

                                                                        Andy's right.  We support NetFlow v9.  We don't support Cisco's Flexible NetFlow  technology, which is what they're leveraging for the ASA.  I suspect their Support rep is using the two interchangeably.

                                                                        Even if we could support Flexible NetFlow and parse the ASA packet, it's not the same info as a standard v9 packet.  It would be different data and would not populate charts and tables we show for standard NetFlow sources.

                                                                    • Re: Netflow on ASA
                                                                      chris.lapoint


                                                                      Thats not too bad. Unless you change the default config Cisco devices only send the flow data once the flow is completed.

                                                                      Their post DOES make it sound as if it is also will on top of security data sent traffic info.  This is big news we all here thought it would not.

                                                                       



                                                                      Thanks to everyone for your posts on this subject.   Based on the interest level, it's definitely warrants further exploration on our side.  

                                                                      I've spoken with dev and they need a packet capture of NetFlow v9 data from the Cisco ASA.   Donald, I'm going to reach out to you directly to see if you'd be willing to help work with us on this one.   I'll update this thread with the results of our investigation.

                                                                      UPDATE 9/14/09:  We've released NTA 3.5 SP2 which adds Cisco ASA support.   Please see this post for more details: Orion NTA 3.5 - Service Pack 2 now available (adds Cisco ASA support)

                                                                      1 of 1 people found this helpful
                                                  • Re: Netflow on ASA
                                                    dwiens

                                                    I haven't researched this, but do the ASAs send the regular NetFlow data as well asn the security info via NetFlow or is it just the Security Info?

                                              • Re: Netflow on ASA

                                                Hi,

                                                We also have a requirement to gain visibility into traffic flows from our ASA 5550 firewalls for the purposes of analysing web site traffic etc.

                                                This feature is extremely valuable as we currently monitor all our WAN routers via the SolarWinds Netflow module and are capable of instantly obtaining a snap shot of all internal network traffic flows, but not external, as our ASAs cannot be monitored via Netfow.

                                                I have already raised this with your support team who have assured us this is top priority for your dev team (or so they said) :)

                                                  • Re: Netflow on ASA
                                                    denny.lecompte

                                                    We also have a requirement to gain visibility into traffic flows from our ASA 5550 firewalls for the purposes of analysing web site traffic etc.

                                                    I understand but the ASA's data flow does not include traffic.  It does not include the standard NetFlow data.

                                                      • Re: Netflow on ASA
                                                        Donald_Francis

                                                        Actually it looks like it does indeed include traffic data.  I did some captures and looked at the payload of the packets and saw traditional netflow.

                                                        I would not jump ship yet I would think we should see it in NTA before too long, thats a total quess however.

                                                    • Re: Netflow on ASA
                                                      rudedawg

                                                      I just spoke with Plixer and they were quite pleased that version 7 of the Scrutinizer (their latest version of NetFlow analyzer) will work with ASA 5510, but like it has been recorded in this forum, the traffic conversations will be represented in the data ONLY after they have finished; causing latency in their presentation (not realtime).

                                                      • Re: Netflow on ASA
                                                        ddemetra

                                                        This is good news that Netflow from the ASA's will soon be supported.

                                                        We have a Router 7204 that could send us Netflow, but it is outside out firewalls.

                                                        This not only makes collecting the data harder, but the collected data will only show the PAT'ed addresses, so it would not be nearly as usefull.

                                                        As a current support contributor, I would also like to see this moved up in the priority list for the next release.

                                                         

                                                        Thanks, Dimitri

                                                        • Re: Netflow on ASA
                                                          ddemetra

                                                          Chris, does it look like the Netflow IP's will be pre PAT'ing when captured from the ASA's?

                                                          Thanks, Dimitri