Cisco ASA and NetFlow |
|
|
Several of our customers are using Cisco ASA device and they tried to export NetFlow v9 to Caligare Flow Inspector without success. After debuging we find the problem. In the ASA NetFlow there is missing a packet field in the netflow export. The number of packets is very important for CFI. Without it, the users cannot perform the most of statistics. NetFlow Security Event Logging or NetFlow Event Logs (NELs) (used by Cisco ASA) isn’t about traffic in and out of an interface. It’s more like syslog logging and RMON. Three event types can trigger a NetFlow record: flow-create, flow-denied and flow-teardown. All of these types have a different flow template, but no one export packet count. See NetFlow packet dump below. The result is Caligare Flow Inspector is NOT compatible with Cisco ASA due to missing a packet field. We hope Cisco will add a packet field in one of the next releases. More sources: Cisco ASA - NetFlow Collectors Monitoring the Security Appliance As alternative you can use FlowMon probes. The probe sniff all traffic going through the line. The main advantage of probe is its ability to analyze every packet at wire-speed up to 10 Gbps, it is L2/L3 invisible and can be connected to any point of your network. The probe can be connected to the user network in three ways: via mirrored port (SPAN); via Ethernet splitter (TAP); or via built-in splitter. See the following URL http://www.caligare.com/product/flowmon/ for more information about probes. |
|
