[netflow-tools] Cisco ASA OS 9 flowd errors
John Marrett
johnf at zioncluster.ca
Sat Feb 22 13:38:27 EST 2014
I'm somewhat pleased to announce the first version of my patch for ASA 9
support [1] . Unfortunately it is far from complete. In fact, it's only
marginally usable.
The initial problems were caused by the ASA 9 templates massively exceeded
the value of DEFAULT_MAX_TEMPLATES, I have increased it to 1024 and it can
now process the full template load.
I think there is some confusion between DEFAULT_MAX_TEMPLATES templates,
which appears to be intended to be a counter of the number of templates,
however seems to actually be the maximum number of fields. There is also a
value for DEFAULT_MAX_TEMPLATE_LEN which appears to be intended to be a
counter of the number of template fields, possibly per template. The first
template from the ASA in version 9 contains a large number of fields it
can't be processed and it starts aborting immediately reporting the "forced
deletion of template 0x0100 from peer" error.
Unfortunately this is where the first ASA 9 patch begins and also ends. It
will report all flows as 0 packet, 0 bytes. My next update should implement
processing of update fields as Craig has proposed. It will work based on
only processing update events [1] and by handling the two new ASA packet
counters.
Hopefully more to come this weekend.
[1] http://zioncluster.ca/netflow/asa-9-patch-1.diff
[2]
http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/system/netflow/netflow.html#wp1028202
-JohnF
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mindrot.org/pipermail/netflow-tools/attachments/20140221/318d7d1e/attachment.html>
More information about the netflow-tools
mailing list