Nagios Support Forum

Posted: **Tue Sep 27, 2016 3:11 pm**

I've just setup a second ASA as a netflow source, following this guide (which is exactly what I had done before), and it shows the same issue.

tgriep wrote:Can you post the configuration for that so I can view it?

I could, but everything looks exactly like the screens in the guide above. Do you need any specifics?

tgriep wrote:What version of IOS is it running?

"show version" shows:
Cisco Adaptive Security Appliance Software Version 9.0(2)
Device Manager Version 7.1(2)102

tgriep wrote:Also, can you click on the Reports Menu and run one of the default reports for that source and see if it reports the Packets?

All four default reports, on both sources, show 0 packets

Posted: **Tue Sep 27, 2016 4:13 pm**

Thanks for the details. Here are a few things to try / check:

1) In ASDM, choose Tools > Command Line Interface.
- In the Command field, enter the show flow-export counters command to display runtime counters,
including statistical data and error data for NSEL and post the output here. I'd like to see what is recorded in the 'packet count' field.

2) On the NNA machine, Navigate to /usr/local/nagiosna/var/<source name>/flows
Find the newest nfcap file that is not nfcap.current. Then run:
nfdump -r <newest nfcap file>

Do you see a packet count in the summary section at the bottom? Feel free to post the output here if in any doubt, but please scrub sensitive data first.

3) If steps one and two reveal nothing, run a packet capture on the NNA machine filtered for source port, be sure to save this as a pcap file so I can load it into Wireshark. Let the capture run for at least 5 minutes and PM me the capture.pcap file when finished.

tcpdump -s 0 -i any dst port <source port number> -w capture.pcap

Posted: **Wed Sep 28, 2016 9:58 am**

bwallace wrote:1) In ASDM, choose Tools > Command Line Interface.
- In the Command field, enter the show flow-export counters

Code: Select all

Result of the command: "show flow-export counters"

destination: DMZ_MPLS-NET 1.1.1.1 9991
  Statistics:
    packets sent                                           107653
  Errors:
    block allocation failure                                    0
    invalid interface                                           0
    template send failure                                       0
    no route to collector                                       0
    source port allocation failure                              0

destination: DMZ_MPLS-NET 2.2.2.2 9999
  Statistics:
    packets sent                                         97954496
  Errors:
    block allocation failure                                    0
    invalid interface                                           0
    template send failure                                       0
    no route to collector                                       0
    source port allocation failure                              0

The second one was already there when I configured my source (mine is the one with less packets).

bwallace wrote:2) On the NNA machine, Navigate to /usr/local/nagiosna/var/<source name>/flows
Find the newest nfcap file that is not nfcap.current. Then run:
nfdump -r <newest nfcap file>

Do you see a packet count in the summary section at the bottom?

Code: Select all

nfdump -r nfcapd.201609281130
...
Summary: total flows: 9826, total bytes: 27682988, total packets: 0, avg bps: 737780, avg pps: 0, avg bpp: 0
Time window: 2016-09-28 11:29:59 - 2016-09-28 11:34:59
Total flows processed: 9826, Blocks skipped: 0, Bytes read: 1133448
Sys: 0.142s flows/second: 68724.3    Wall: 0.401s flows/second: 24483.1

bwallace wrote:3) If steps one and two reveal nothing, run a packet capture on the NNA machine filtered for source port, be sure to save this as a pcap file so I can load it into Wireshark. Let the capture run for at least 5 minutes and PM me the capture.pcap file when finished.

Thanks, will do that.

Posted: **Wed Sep 28, 2016 10:26 am**

Thanks for the details but it won't be necessary to run the tcpdump since the the packet count isn't even written into the flow record, as seen when you manually read the nfcap file using nfdump:

Summary: total flows: 9826, total bytes: 27682988, total packets: 0, avg bps: 737780, avg pps: 0, avg bpp: 0

I'm unable to determine why the ASA device is not including the packet count in the flow record. From what I can tell, the ASA is properly configured for netflow. Are you able to check with Cisco about this?

Posted: **Wed Sep 28, 2016 10:38 am**

I think so. I'll report back if I get an answer from them.

Posted: **Wed Sep 28, 2016 11:22 am**

Say, before going that route, one other thing -- refer to our doc on ASA netflow configuration and compare it to the doc you followed. When you do a 'sh config' right now, do you see an entry for:
flow-export template timeout-rate 1

In our doc refer to the bottom of page one for configuring an ASA. If you have 'flow-export template timeout-rate' set to zero (or the entry doesn't exist) then that is a possible reason why we're not seeing a packet count.
https://assets.nagios.com/downloads/nag ... 1456514247
Let us know what you find out....

Posted: **Wed Sep 28, 2016 1:30 pm**

bwallace wrote:refer to our doc on ASA netflow configuration and compare it to the doc you followed.

The only difference I noticed was "logging flow-export-syslogs disable" not present. But on the GUI, the "Disable redundant syslog messages" is checked.

bwallace wrote: When you do a 'sh config' right now, do you see an entry for:
flow-export template timeout-rate 1

It does show in the 'sh config'. It is set to 1min.

I did some debugging on the pcap capture, and found out a couple things.

The template is indeed being sent to NNA, as I've been able to identify such a packet with tcpdump, but there's no mention of a "packets" field in none of the thirteen templates in this packet. I'm not sure what a Netflow v9 template should look like, though:

template.png

This is what the final flow from a random packet looks like, using the above template:

netflow.png

Does ASA's netflow usually show packets' info on NNA? In such a case, what is the "packets" field name?

Posted: **Wed Sep 28, 2016 2:40 pm**

I setup a ASA5505 to send netflow and I am seeing the same thing. No packets.
I did a little research and what I found says that ASA firewalls may not send packet information in the netflow data and we may be chasing a ghost.
I'll keep looking and if I find something, I'll post back.

Posted: **Wed Sep 28, 2016 3:17 pm**

I've noticed quite a few more issues with my tests. I did the following download:

Code: Select all

[user@server tmp]$ wget http://fisica.ufpr.br/kurumin/kurumin-7.0.iso
--2016-09-28 15:37:53--  http://fisica.ufpr.br/kurumin/kurumin-7.0.iso
Resolving fisica.ufpr.br (fisica.ufpr.br)... 200.238.171.246, 2801:82:80ff:7fcf:c23f:d5ff:fe43:ff9e
Connecting to fisica.ufpr.br (fisica.ufpr.br)|200.238.171.246|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 679045120 (648M) [application/x-iso9660-image]
Saving to: âkurumin-7.0.isoâ

100%[======================================================================================================================================================>] 679,045,120 5.35MB/s   in 2m 7s

1) When I queried NagiosNA by the server's IP, the total bytes count was 624MB (should be 647~648MB as shown above). I can't generate that image anymore (due to issue #5), but trust me, the value was 624MB. The bytes count was "correctly" sent by ASA, although the timestamps seem a litte bit messed up:

Code: Select all

[user@localhost flows]$ nfdump -r nfcapd.201609281535 | grep 200.238.171.246
2016-09-28 15:37:54.289 CREATE  Ignore TCP        1.1.1.1:52356 ->  200.238.171.246:80         1.1.1.1:52356 ->  200.238.171.246:80           0        0
2016-09-28 15:37:54.289 UPDATE  Ignore TCP        1.1.1.1:52356 ->  200.238.171.246:80         1.1.1.1:52356 ->  200.238.171.246:80         135  329.2 M
2016-09-28 15:38:55.858 UPDATE  Ignore TCP        1.1.1.1:52356 ->  200.238.171.246:80         1.1.1.1:52356 ->  200.238.171.246:80           0  325.4 M
[user@localhost flows]$ nfdump -r nfcapd.201609281540 | grep 200.238.171.246
2016-09-28 15:39:57.048 UPDATE    2031 TCP        1.1.1.1:52356 ->  200.238.171.246:80         1.1.1.1:52356 ->  200.238.171.246:80           0   24.5 M
2016-09-28 15:37:54.289 DELETE    2031 TCP        1.1.1.1:52356 ->  200.238.171.246:80         1.1.1.1:52356 ->  200.238.171.246:80         135  679.0 M

2) Notice that summing up only the flows from the first file (nfcapd.201609281535) only, we get exactly 624MB (it's actually 654.6, but it's due to the next issue) as I stated earlier as the value shown by Nagios NA.

3) Notice that the value sent was already in MB (e.g. 329.2MB), but NagiosNA treated it as "329,200,000" and divided it by 1024 twice:

Code: Select all

((((329.2 + 325.4)^10x6)/1024)/1024) = 624MB

4) The duration shown in the NagiosNA's query was 61.569s, even though we know it took over 2min. Notice that from flow 2 to flow 3 (first file), we have exactly 61.569s.
#3 and #4 seem to have happened because it was split between two different files.

5) After doing a second download from that same website (same file too), there were even more issues:

download.png

Bytes count is wrong. File is 648MB long. Flows count is wrong. Should be 5 from first download, and 2 more from the second download (it seems to have counted only 3 flows from the first file during the first download). "Average Bytes/Sec" is wrong too. The download info shows that it was ~5MB.
Also, I can't separate "Total Bytes" for each download. Take a look:

download2.png

Even though I've queried by the specific source port, it showed total bytes for both downloads.

That said, I've taken a look at NagiosNA online demo, and I verified that none of these issues exist. Everything seems to work perfectly. I'm also aware that ASA has a specific kind of (event-driven)Netflow. Are any of these issues caused by a mistake of mine? Or is it just that no one had noticed these issues with ASA so far?

The packets' count issue isn't critical for me and I could totally live with that for quite a while. All of the rest is absolutelly critical, though.

Posted: **Wed Sep 28, 2016 4:10 pm**

Just as a "fun" sidenote:

"NetFlow data from Cisco Adaptive Security Appliance (ASA) is not supported in this release (3.0) of Prime Infrastructure."
http://www.cisco.com/c/en/us/td/docs/ne ... pi_rn.html

Not even Cisco gets along well with it.

Nagios Support Forum

Zero'd packet count with Cisco ASA

Re: Zero'd packet count

Re: Zero'd packet count

Re: Zero'd packet count

Re: Zero'd packet count

Re: Zero'd packet count

Re: Zero'd packet count

Re: Zero'd packet count

Re: Zero'd packet count

Re: Zero'd packet count

Re: Zero'd packet count