[netflow-tools] Cisco ASA OS 9 flowd errors

Craig Weinhold Craig.Weinhold at cdw.com
Fri Feb 21 15:17:55 EST 2014


NSEL from ASA is quite different from traditional NetFlow, and it changed with ASA 9. Each flow is a bidirectional entity with separate byte/packet counters in each direction (previously there was one total byte counter). There are also new event types -- flow alert and flow update.

ASA 8.x http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/netflow/netflow.html

ASA 9.x  http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/system/netflow/netflow.html

I'd love to see a complete implementation of NSEL in flowd, but that requires changing the output format. You up to the challenge?

-Craig


________________________________
From: netflow-tools [netflow-tools-bounces+craig.weinhold=cdw.com at mindrot.org] on behalf of John Marrett [johnf at zioncluster.ca]
Sent: Thursday, February 20, 2014 8:29 PM
To: netflow-tools at mindrot.org
Subject: [netflow-tools] Cisco ASA OS 9 flowd errors

I'm running a version of flowd 0.9.1 with my ASA patches applied ( http://zioncluster.ca/netflow/asa_patch_2.diff ).

I've recently realized that when running against flows from ASA running versions of 9.1(4) (and probably earlier releases in 9) I'm seeing error messages and no data is recorded to disk.

When templates are received I see the following:

NetFlow v.9 template set from 1.1.1.1/0x0<http://1.1.1.1/0x0> with len 1368:
 Contains template 0x00000000/0x0100 with 21 records (offset 8):
forced deletion of template 0x0100 from peer 1.1.1.1/0x00000000<http://1.1.1.1/0x00000000>
 Contains template 0x00000000/0x0101 with 21 records (offset 96):
forced deletion of template 0x0101 from peer 1.1.1.1/0x00000000<http://1.1.1.1/0x00000000>
 Contains template 0x00000000/0x0102 with 21 records (offset 184):
forced deletion of template 0x0102 from peer 1.1.1.1/0x00000000<http://1.1.1.1/0x00000000>
[...]

Even after receipt of the template I see the following:

netflow v.9 packet (len 1412) 17 recs, source 0x00000000
netflow v.9 data flowset (len 104) source 0x00000000
netflow v.9 data flowset without template 1.1.1.1/0x00000000/0x0100<http://1.1.1.1/0x00000000/0x0100>
netflow v.9 data flowset (len 68) source 0x00000000
netflow v.9 data flowset without template 1.1.1.1/0x00000000/0x0107<http://1.1.1.1/0x00000000/0x0107>
netflow v.9 data flowset (len 104) source 0x00000000
[...]

When I compare it with another host running an older version I see different log information.

NetFlow v.9 template set from 1.1.1.2/0x0<http://1.1.1.2/0x0> with len 992:
 Contains template 0x00000000/0x0100 with 21 records (offset 8):
 Contains template 0x00000000/0x0101 with 21 records (offset 96):
 Contains template 0x00000000/0x0102 with 17 records (offset 184):
 Contains template 0x00000000/0x0103 with 17 records (offset 256):
 Contains template 0x00000000/0x0104 with 18 records (offset 328):
 Contains template 0x00000000/0x0105 with 14 records (offset 404):
 Contains template 0x00000000/0x0106 with 14 records (offset 464):
 Contains template 0x00000000/0x0107 with 18 records (offset 524):
 Contains template 0x00000000/0x0108 with 14 records (offset 600):
forced deletion of template 0x0108 from peer 1.1.1.2/0x00000000<http://1.1.1.2/0x00000000>
 Contains template 0x00000000/0x0109 with 22 records (offset 660):
forced deletion of template 0x0109 from peer 1.1.1.2/0x00000000<http://1.1.1.2/0x00000000>
 Contains template 0x00000000/0x010a with 22 records (offset 752):
forced deletion of template 0x010a from peer 1.1.1.2/0x00000000<http://1.1.1.2/0x00000000>
 Contains template 0x00000000/0x010b with 18 records (offset 844):
forced deletion of template 0x010b from peer 1.1.1.2/0x00000000<http://1.1.1.2/0x00000000>
 Contains template 0x00000000/0x010c with 18 records (offset 920):

I note that with the newer release of the ASA code that none of the template records are accepted, with the older version only a few of them are force deleted.

Does anyone have any idea what may be happening here?

I am ready to provide samples off list and perform any debugging requested. If it's possible to receive and parse the template and post it publicly so we can compare the two versions I'd be more than happy too.

I'm eager to solve the problem and ready to do whatever it takes to address it.

Thanks in advance,

-JohnF
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mindrot.org/pipermail/netflow-tools/attachments/20140221/c99991f2/attachment-0001.html>


More information about the netflow-tools mailing list