Zero'd packet count with Cisco ASA

reinaldo.gomes · Post by **reinaldo.gomes** » Wed Sep 21, 2016 2:28 pm

I have no idea why the packets count is shown as 0. The flow exporter is a Cisco ASA 5512 and the Incoming Flow Type on Nagios is "NetFlow".
Any thoughts?

Sem título.png

Post by **tgriep** » Wed Sep 21, 2016 4:06 pm

Something looks wrong in your report, in the top, it says that it is only showing data from 16:10 to 16:15 which isn't 24 hours.
Try recreating that report or try one of the default ones and see if it still displays the wrong data.
Also, is the time in sync between the ASA and the NNA server?
If not, sometimes that causes the issue you are having.

reinaldo.gomes · Post by **reinaldo.gomes** » Wed Sep 21, 2016 5:27 pm

The result, regarding packets count, is the same no matter which report (custom or default) I use. Even the queries show the same result.

The reason why it shows "24h" and "from 16:10 to 16:15" at the same time is because I did the following:
Dashboard -> Abnormal behavior -> Clicked on the 16:10's green tile -> Selected "Top Talking Source IP"

Regarding to the time sync, I've just noticed that the nagios server's system clock was sync'ed with the ASA, but the hardware clock wasn't. Not sure if that makes any difference, but now they're both sync'ed, and I restarted the source's process.

Anyway, it's still showing 0 packets

Post by **tgriep** » Thu Sep 22, 2016 9:37 am

After the syncing of the time, if it still showing 0 packets for new abnormal behavior of the old one?
If you select a good section of abnormal behavior, do you see the same issue?

reinaldo.gomes · Post by **reinaldo.gomes** » Thu Sep 22, 2016 10:26 am

After syncing, it's still showing 0 packets, although there are plenty of bytes and other info, no matter which view, report, etc I use, nor which time range I select.

Post by **tgriep** » Thu Sep 22, 2016 10:43 am

Does the standard Top 5 Talkers By Source IP (Last 24 Hours) report show correct data or is it exhibiting the same issue?
Can you change the flow version from v9 to v5 in the ASA and see if that resolves the issue?

reinaldo.gomes · Post by **reinaldo.gomes** » Thu Sep 22, 2016 10:58 am

tgriep wrote:Does the standard Top 5 Talkers By Source IP (Last 24 Hours) report show correct data or is it exhibiting the same issue?

Apparently it shows the correct data (IPs, Ports and Bytes), but it doesn't have a "packets" column:

Sem título.png

tgriep wrote:Can you change the flow version from v9 to v5 in the ASA and see if that resolves the issue?

I can't:

"The ASA only supports NetFlow version 9 and there are no plans to support NetFlow version 5."

Post by **tgriep** » Thu Sep 22, 2016 1:38 pm

I have beet trying to recreate the issue but I cannot seem to do so.
It could be that the ASA isn't sending the information so it could be a configuration issue on the ASA firewall.
Can you post the configuration for that so I can view it?
What version of IOS is it running?
Also, can you click on the Reports Menu and run one of the default reports for that source and see if it reports the Packets?

reinaldo.gomes · Post by **reinaldo.gomes** » Fri Sep 23, 2016 3:03 pm

I'm very busy with some other tasks today, but come monday I should be able to resume the tests

rkennedy · Post by **rkennedy** » Mon Sep 26, 2016 11:06 am

Sounds good - let us know the answers to what @tgriep asked when you have a chance.

Nagios Support Forum

Zero'd packet count with Cisco ASA

Zero'd packet count with Cisco ASA

Re: Zero'd packet count

Re: Zero'd packet count

Re: Zero'd packet count

Re: Zero'd packet count

Re: Zero'd packet count

Re: Zero'd packet count

Re: Zero'd packet count

Re: Zero'd packet count

Re: Zero'd packet count