[netflow-tools] Cisco ASA OS 9 flowd errors

John Marrett johnf at zioncluster.ca
Fri Feb 21 13:29:41 EST 2014


I'm running a version of flowd 0.9.1 with my ASA patches applied (
http://zioncluster.ca/netflow/asa_patch_2.diff ).

I've recently realized that when running against flows from ASA running
versions of 9.1(4) (and probably earlier releases in 9) I'm seeing error
messages and no data is recorded to disk.

When templates are received I see the following:

NetFlow v.9 template set from 1.1.1.1/0x0 with len 1368:
 Contains template 0x00000000/0x0100 with 21 records (offset 8):
forced deletion of template 0x0100 from peer 1.1.1.1/0x00000000
 Contains template 0x00000000/0x0101 with 21 records (offset 96):
forced deletion of template 0x0101 from peer 1.1.1.1/0x00000000
 Contains template 0x00000000/0x0102 with 21 records (offset 184):
forced deletion of template 0x0102 from peer 1.1.1.1/0x00000000
[...]

Even after receipt of the template I see the following:

netflow v.9 packet (len 1412) 17 recs, source 0x00000000
netflow v.9 data flowset (len 104) source 0x00000000
netflow v.9 data flowset without template 1.1.1.1/0x00000000/0x0100
netflow v.9 data flowset (len 68) source 0x00000000
netflow v.9 data flowset without template 1.1.1.1/0x00000000/0x0107
netflow v.9 data flowset (len 104) source 0x00000000
[...]

When I compare it with another host running an older version I see
different log information.

NetFlow v.9 template set from 1.1.1.2/0x0 with len 992:
 Contains template 0x00000000/0x0100 with 21 records (offset 8):
 Contains template 0x00000000/0x0101 with 21 records (offset 96):
 Contains template 0x00000000/0x0102 with 17 records (offset 184):
 Contains template 0x00000000/0x0103 with 17 records (offset 256):
 Contains template 0x00000000/0x0104 with 18 records (offset 328):
 Contains template 0x00000000/0x0105 with 14 records (offset 404):
 Contains template 0x00000000/0x0106 with 14 records (offset 464):
 Contains template 0x00000000/0x0107 with 18 records (offset 524):
 Contains template 0x00000000/0x0108 with 14 records (offset 600):
forced deletion of template 0x0108 from peer 1.1.1.2/0x00000000
 Contains template 0x00000000/0x0109 with 22 records (offset 660):
forced deletion of template 0x0109 from peer 1.1.1.2/0x00000000
 Contains template 0x00000000/0x010a with 22 records (offset 752):
forced deletion of template 0x010a from peer 1.1.1.2/0x00000000
 Contains template 0x00000000/0x010b with 18 records (offset 844):
forced deletion of template 0x010b from peer 1.1.1.2/0x00000000
 Contains template 0x00000000/0x010c with 18 records (offset 920):

I note that with the newer release of the ASA code that none of the
template records are accepted, with the older version only a few of them
are force deleted.

Does anyone have any idea what may be happening here?

I am ready to provide samples off list and perform any debugging requested.
If it's possible to receive and parse the template and post it publicly so
we can compare the two versions I'd be more than happy too.

I'm eager to solve the problem and ready to do whatever it takes to address
it.

Thanks in advance,

-JohnF
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mindrot.org/pipermail/netflow-tools/attachments/20140220/c78797c5/attachment.html>


More information about the netflow-tools mailing list