What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general.

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
More than 500,000 users rely on Paessler PRTG every day. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags


View all Tags

Cisco ASA Netflow Monitor (no data since startup)

Votes:

0

Hello,

I am using a Cisco ASA 5510 and PRTG to monitor it. It works well with sensors configured using SNMP (SNMP Cisco ASA VPN users etc...) but I have configured ASA to export Netflow and it looks like something is wrong.

ASA only support Netflow V9 so, I used this sensor template. I tried wireshark and I can see the UDP packets on the target machine, then I tried Netflow tester (https://www.paessler.com/tools/netflowtester) and seems data has been arrived to the application layer as well.

The only difference was that the configuraion example below suggest to set Active Timout to zero but I couldn't manage it, so I have used one (1). It should not be a problem as far as I know ASA does not support this feature, but it just makes disfiguring on the graphs. https://kb.paessler.com/en/topic/1423-how-to-monitor-cisco-asa-firewalls-using-netflow-9-and-prtg

This device working as a VPN GW so 99% of the connections going through an L2L VPN. The ASA encrypt/decrypt these connections so I can see them in the connection list but not a single data in the PRTG.

Does anybody has any idea what is the problem?

OS.: Windows 2012 server PRTG ver. 16.3.24.5302 Template: Netflow V9 ASA ver. 9.1.(4)

cisco-asa-vpn ciscoasa netflow-v9 vpn

Created on Aug 8, 2016 3:16:09 PM



Best Answer

Accepted Answer

Votes:

1

Hello!

We have solved the problem. First of all. The server received netflow v9 packets but the decoded side was empty. The reason of this was the following config on the ASA:

  • flow-export template timeout-rate 1
  • flow-export delay flow-create 20 Because of this config ASA sends netflow packets even if these were "empty". So there was no usefull data in these. Because of the ASA SW version we have to use the following command in global configuration mode: flow-export enable.

It does not show up in the running-config after all and makes a config change under the global policy-map default class. ASA does not support service-policy regarding netflow, just the global policy. After all we have deleted thos default class and makes our own under global-policy map.

Here is the working configuration:

access-list NETFLOW-EXPORT extended permit ip [source] [destiantion]
!
flow-export destination inside [destination IP] [destination port]
flow-export template timeout-rate 1
flow-export delay flow-create 20
flow-export enable
!
logging flow-export-syslogs disable
!
class-map NetFlow-traffic
  match access-list NETFLOW-EXPORT
!
policy-map global_policy
  class NetFlow-traffic
   flow-export event-type all destination [destination IP]

Thank you for your help.

BR, Sandor

Created on Aug 10, 2016 12:54:34 PM

Last change on Aug 11, 2016 10:57:48 AM by Torsten Lindner [Paessler Support]



3 Replies

Votes:

0

Hello Sandor,

Please run the Netflow testing again and forward a screenshot of the results. This will help us to determine if the flows can be used in PRTG.

Best regards, Felix

Created on Aug 10, 2016 11:17:47 AM by Felix Saure [Paessler Support]



Accepted Answer

Votes:

1

Hello!

We have solved the problem. First of all. The server received netflow v9 packets but the decoded side was empty. The reason of this was the following config on the ASA:

  • flow-export template timeout-rate 1
  • flow-export delay flow-create 20 Because of this config ASA sends netflow packets even if these were "empty". So there was no usefull data in these. Because of the ASA SW version we have to use the following command in global configuration mode: flow-export enable.

It does not show up in the running-config after all and makes a config change under the global policy-map default class. ASA does not support service-policy regarding netflow, just the global policy. After all we have deleted thos default class and makes our own under global-policy map.

Here is the working configuration:

access-list NETFLOW-EXPORT extended permit ip [source] [destiantion]
!
flow-export destination inside [destination IP] [destination port]
flow-export template timeout-rate 1
flow-export delay flow-create 20
flow-export enable
!
logging flow-export-syslogs disable
!
class-map NetFlow-traffic
  match access-list NETFLOW-EXPORT
!
policy-map global_policy
  class NetFlow-traffic
   flow-export event-type all destination [destination IP]

Thank you for your help.

BR, Sandor

Created on Aug 10, 2016 12:54:34 PM

Last change on Aug 11, 2016 10:57:48 AM by Torsten Lindner [Paessler Support]



Votes:

0

Hello Sandor,

Thank you very much for sharing your findings! I'm sure that this will help other users a lot!

Best regards, Felix

Created on Aug 11, 2016 7:57:11 AM by Felix Saure [Paessler Support]




Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.