Setting Up NetFlow on ASA

[rpearson]

We have been using the NagiosXI product and are on a trial of Network Analyzer right now. I seem to be having some trouble getting Netflow data moving. The server is on the same subnet so I don't think the firewall should be having any affect on this. I have attached screen shots of my ASDM and Network Analzyer config. Some key points.

NA server is as 10.0.0.55
Port I am using as I understand this is arbitrary as long as its above 1024? Is 3000

The gateway of the firewall is 10.0.0.254 I added 10.0.0.253 here as well as we have them working in an Active/Passive failover pair.

With the way this is set it just isn't collecting any data and I don't understand why.

[scottwilkerson]

It could be a class-map or policy map missing...

We have an example of the terminal version for the ASA on page 3 of the following doc
https://assets.nagios.com/downloads/nag ... alyzer.pdf

[rpearson]

I undid my ASDM change and followed the command line procedure. Some issues I ran into.

When I entered the flow-export delay flow-create 60 line I got this message.

WARNING: The current delay flow-create value configuration may cause flow-update events to appear before flow-creation event.

Also this line I had to modify (access-list netflow-export extended permit any any)

I used this (access-list netflow-export extended permit ip any any as it wanted a service denoted. Instead of IP can I just use the 3000 port that I specified as my port?

Regardless after doing this I am still not getting any flow data.

[rpearson]

I just had a quick WebEx session and we are still stuck. I was told to post this PCAP here.

EDIT - Uploaded now sorry it didn't like the pcap file

[cdienger]

Looks like there was a problem attaching it. Please try attaching it again.

[cdienger]

There appears to be an issue with the sending device. The tcpdump shows the device is sending template information for the flow data but not actually sending the flow data. Use the steps in https://helpdesk.kaseya.com/hc/en-gb/ar ... -WireShark to see the behavior.

I would check with the device's config and support if needed to verify that it is setup properly.

[rpearson]

Cisco says the ASA is sending the correct information. I really don't know what to do at this point.

[cdienger]

Were they able to show the data getting the NNA machine somehow? Let's get a fresh tcpdump taken on the NNA system:

Code: Select all

tcpdump -s 0 -i any port 3000 -w output.pcap

Let it run a few minutes before stopping it with CTRL+C and sending me the output.pcap file in a private message.

[rpearson]

Not sure what is different but I am able to get Netflow data to go to my Solarwinds install I am also trying to test out. So it appears to be running. Although they also seem to use SNMP in conjunction with it. I was hoping if that one worked NagiosNA would magically work to but no dice. I will try that command you just posted.

[ssax]

We'll keep an eye out for your update, we'll need to see that tcpdump to see what the device is sending in. I would let it run for about 5 minutes at least.

What is the output of this command?

Code: Select all

netstat -ano | grep 3000

If netstat isn't installed you can do this to install it:

Code: Select all

yum install net-tools -y