Nagios Support Forum

so did it help anyone ?

We will have to wait and see. Sometimes it takes a while for people to get back to us.

Strange...have a same problem...collecting netflow from ASA firewall...have all permisions...have all time synced...have nfdump files ....

What I observe that I don't have TIme Window in nfdump files...and I have for some events timestamp 1970....



Any help!

fisko, are you reading the files with "nfdump -r nfcapd.DUMPDATE" and it's showing no date/time? Is it doing this for all of the files or did this just start happening?

yes I read the files...it is happening from the beginning...

1970-01-01 01:00:00.318 -0.318 TCP 192.168.83.12:60927 -> 10.37.100.4:771 0 0 1
2015-04-02 02:39:29.375 0.000 TCP 192.168.83.35:1991 -> 192.168.1.4:445 0 0 1
2015-04-02 02:39:29.375 0.000 TCP 192.168.83.35:1992 -> 192.168.1.4:139 0 0 1
2015-04-02 02:39:29.375 0.000 UDP 192.168.83.35:1993 -> 192.168.1.4:88 0 0 1
2015-04-02 02:39:29.385 0.000 TCP 192.168.83.35:1994 -> 192.168.1.4:88 0 0 1
2015-04-02 02:39:29.405 0.000 TCP 192.168.83.35:1995 -> 192.168.1.10:80 0 0 1
2015-04-02 02:39:29.475 0.000 TCP 192.168.83.35:1996 -> 192.168.1.4:445 0 0 1
2015-04-02 02:39:29.475 0.000 TCP 192.168.83.35:1997 -> 192.168.1.4:139 0 0 1
2015-04-02 02:39:29.475 0.000 UDP 192.168.83.35:1998 -> 192.168.1.4:88 0 0 1
2015-04-02 02:39:29.475 0.000 TCP 192.168.83.35:1999 -> 192.168.1.4:88 0 0 1
2015-04-02 02:39:59.510 0.000 UDP 192.168.85.25:51485 -> 192.168.1.10:53 0 47 1
2015-04-02 02:39:29.495 0.000 TCP 192.168.83.35:2000 -> 192.168.1.10:80 0 0 1
2015-04-02 02:39:29.545 0.000 TCP 192.168.83.35:2001 -> 192.168.1.4:445 0 0 1
2015-04-02 02:39:29.545 0.000 TCP 192.168.83.35:2002 -> 192.168.1.4:139 0 0 1
2015-04-02 02:39:29.555 0.000 UDP 192.168.83.35:2003 -> 192.168.1.4:88 0 0 1
Summary: total flows: 15335, total bytes: 4712358, total packets: 0, avg bps: 0, avg pps: 0, avg bpp: 0
Time window: Time Window unknown
Total flows processed: 15335, Blocks skipped: 0, Bytes read: 920344

Can you run the following on the NA system and post back the results? Could you post how your Cisco ASA is setup to send the flows so we can review it?
Maybe the template isn't getting sent to the NA server.

[root@localhost ~]# date
Fri Apr 3 08:15:30 CEST 2015
[root@localhost ~]# ll /etc/localtime
lrwxrwxrwx 1 root root 37 Apr 3 08:14 /etc/localtime -> ../usr/share/zoneinfo/Europe/Sarajevo
[root@localhost ~]# grep date.timezone /etc/php.ini
; http://php.net/date.timezone
date.timezone = Europe/Sarajevo
[root@localhost ~]# grep ZONE /etc/sysconfig/clock
grep: /etc/sysconfig/clock: No such file or directory

ASA have fixed template for netflow and by default it exports it every 30 minutes...

Here is the ASA part


flow-export destination inside 192.168.1.53 2055
flow-export template timeout-rate 5
flow-export delay flow-create 30
flow-export active refresh-interval 2

class global-class
flow-export event-type all destination 192.168.1.53

THANKS!

Totally ASA issue...I send netflow from router and I get the data...

What I observe...I saw netflow packet count on ASA 51xxxx and when I nfdump files in analyzer I saw packet count 0...I assume that is why I don't have no data found...

THANKS!

Well it seems that must be used particular version of nfdump that can read ASA netflow v9 format

http://comments.gmane.org/gmane.network ... eneral/767

THANKS!

What version of Network Analyzer are you running?
The latest version is running nfdump: Version: 1.6.13
Try upgrading and see if that fixes it for you.