Error No data found

[lingweican]

so did it help anyone ?

[tmcdonald]

We will have to wait and see. Sometimes it takes a while for people to get back to us.

[fisko]

Strange...have a same problem...collecting netflow from ASA firewall...have all permisions...have all time synced...have nfdump files ....

What I observe that I don't have TIme Window in nfdump files...and I have for some events timestamp 1970....



Any help!

[ssax]

fisko, are you reading the files with "nfdump -r nfcapd.DUMPDATE" and it's showing no date/time? Is it doing this for all of the files or did this just start happening?

[fisko]

yes I read the files...it is happening from the beginning...

1970-01-01 01:00:00.318 -0.318 TCP 192.168.83.12:60927 -> 10.37.100.4:771 0 0 1
2015-04-02 02:39:29.375 0.000 TCP 192.168.83.35:1991 -> 192.168.1.4:445 0 0 1
2015-04-02 02:39:29.375 0.000 TCP 192.168.83.35:1992 -> 192.168.1.4:139 0 0 1
2015-04-02 02:39:29.375 0.000 UDP 192.168.83.35:1993 -> 192.168.1.4:88 0 0 1
2015-04-02 02:39:29.385 0.000 TCP 192.168.83.35:1994 -> 192.168.1.4:88 0 0 1
2015-04-02 02:39:29.405 0.000 TCP 192.168.83.35:1995 -> 192.168.1.10:80 0 0 1
2015-04-02 02:39:29.475 0.000 TCP 192.168.83.35:1996 -> 192.168.1.4:445 0 0 1
2015-04-02 02:39:29.475 0.000 TCP 192.168.83.35:1997 -> 192.168.1.4:139 0 0 1
2015-04-02 02:39:29.475 0.000 UDP 192.168.83.35:1998 -> 192.168.1.4:88 0 0 1
2015-04-02 02:39:29.475 0.000 TCP 192.168.83.35:1999 -> 192.168.1.4:88 0 0 1
2015-04-02 02:39:59.510 0.000 UDP 192.168.85.25:51485 -> 192.168.1.10:53 0 47 1
2015-04-02 02:39:29.495 0.000 TCP 192.168.83.35:2000 -> 192.168.1.10:80 0 0 1
2015-04-02 02:39:29.545 0.000 TCP 192.168.83.35:2001 -> 192.168.1.4:445 0 0 1
2015-04-02 02:39:29.545 0.000 TCP 192.168.83.35:2002 -> 192.168.1.4:139 0 0 1
2015-04-02 02:39:29.555 0.000 UDP 192.168.83.35:2003 -> 192.168.1.4:88 0 0 1
Summary: total flows: 15335, total bytes: 4712358, total packets: 0, avg bps: 0, avg pps: 0, avg bpp: 0
Time window: Time Window unknown
Total flows processed: 15335, Blocks skipped: 0, Bytes read: 920344

[tgriep]

Can you run the following on the NA system and post back the results?

Code: Select all

date
ll /etc/localtime
grep date.timezone /etc/php.ini
grep ZONE /etc/sysconfig/clock

Could you post how your Cisco ASA is setup to send the flows so we can review it?
Maybe the template isn't getting sent to the NA server.

[fisko]

[root@localhost ~]# date
Fri Apr 3 08:15:30 CEST 2015
[root@localhost ~]# ll /etc/localtime
lrwxrwxrwx 1 root root 37 Apr 3 08:14 /etc/localtime -> ../usr/share/zoneinfo/Europe/Sarajevo
[root@localhost ~]# grep date.timezone /etc/php.ini
; http://php.net/date.timezone
date.timezone = Europe/Sarajevo
[root@localhost ~]# grep ZONE /etc/sysconfig/clock
grep: /etc/sysconfig/clock: No such file or directory

ASA have fixed template for netflow and by default it exports it every 30 minutes...

Here is the ASA part


flow-export destination inside 192.168.1.53 2055
flow-export template timeout-rate 5
flow-export delay flow-create 30
flow-export active refresh-interval 2

class global-class
flow-export event-type all destination 192.168.1.53

THANKS!

[fisko]

Totally ASA issue...I send netflow from router and I get the data...

What I observe...I saw netflow packet count on ASA 51xxxx and when I nfdump files in analyzer I saw packet count 0...I assume that is why I don't have no data found...

THANKS!

[fisko]

Well it seems that must be used particular version of nfdump that can read ASA netflow v9 format

http://comments.gmane.org/gmane.network ... eneral/767

THANKS!

[tgriep]

What version of Network Analyzer are you running?
The latest version is running nfdump: Version: 1.6.13
Try upgrading and see if that fixes it for you.