This paper enhances the information given on the ASA NetFlow KB allowing the user to better understand how NetFlow operates on ASA devices. It explains what the user is doing when configuring ASA NetFlow and includes steps for troubleshooting.
Thanks for posting this. It is helpful in understanding how the ASA works.
I am a bit confused by this part of your comparison table... "All flows are shown without a direction marker (Also referred to as bidirectional)"
What I am seeing in Solarwinds is that the traffic ingress vs egress are appearing exactly the opposite of the actual traffic flows. All of my top transmitters are actually the top receivers and vice versa.
The ASA firewalls keep track of traffic different than a router. ASA traffic is tagged from where the connections was initiated from. Routers and switches use unidirection, flows are exported in one direction, A >B ( 300KB) and the return traffic B>A (100KB). With bidirection both are added and will show in the direction of the initiator, A>B (400 KB). This is why the utilization appears to be opposite but you are seeing the correct values based on how the ASA reports this. No sure why Cisco decided to go this route.
Hope this helps to better understand/interpet the data.
That is a symptom of the bidirectional export. Cisco does not identify directionality in the ASA export, so the solution would have to be a Cisco feature enhancement.
Yes this does help to interpret the data - except the data is essentially useless.
I know - not Solarwinds fault - but what was/is Cisco thinking?
"Let's implement a feature everyone has been asking for but do it in a way that makes the feature unusable. That will really make us a visionary!"
Come on Cisco, please explain your reasoning because since reading about this on here I have found tons of articles all over the web bashing this approach and not one single explanation so far of how this implementation could be beneficial in any way.
Follow the PDF. It has an extra line I didn't see in other configs:
flow-export template timeout-rate 1
My Orion setup originally worked fine with my ASA. After some Windows patches and a server reboot, it would not. The cflow.count == 13 packets were getting sent to the server every 30 minutes by default, but Orion wasn't keeping or or something and missing them. Changing them to every minute resolved my issue.
