From johnf at zioncluster.ca  Sun Nov  9 04:27:45 2014
From: johnf at zioncluster.ca (John Marrett)
Date: Sat, 8 Nov 2014 12:27:45 -0500
Subject: [netflow-tools] Cisco ASA OS 9 flowd errors
In-Reply-To: <CAAafysE-iaNdA6kzWPb1VVMeYexRc5SaG-gMnboOfrYR_6UuoA@mail.gmail.com>
References: <CAAafysH4Nay5XzDbeYhvy4LFNge+ByGVm_5o-gvMTtyO0z5vvA@mail.gmail.com>
 <480523C07F950444BE371E85152C87C0121AC2AD@EXMBD6VH.corp.cdw.com>
 <CAAafysF1iWgjkLMFL8sBru14Se6rDWxYrAZTHbzxq=DcQCYORg@mail.gmail.com>
 <480523C07F950444BE371E85152C87C0121AC2F6@EXMBD6VH.corp.cdw.com>
 <CAAafysE-iaNdA6kzWPb1VVMeYexRc5SaG-gMnboOfrYR_6UuoA@mail.gmail.com>
Message-ID: <CAAafysHaq0XWpiXNrMemqB3z36pKRQ-xi1SKyP4GpEKPkPFh5Q@mail.gmail.com>

I've updated the patch [1] (it was completely broken), there's no change in
functionality but it should build now.

If you have any issues please let me know on list.

[1] http://zioncluster.ca/netflow/asa-9-patch-1.diff

Thanks,

-JohnF

On Fri, Feb 21, 2014 at 9:38 PM, John Marrett <johnf at zioncluster.ca> wrote:

> I'm somewhat pleased to announce the first version of my patch for ASA 9
> support [1] . Unfortunately it is far from complete. In fact, it's only
> marginally usable.
>
> The initial problems were caused by the ASA 9 templates massively exceeded
> the value of DEFAULT_MAX_TEMPLATES, I have increased it to 1024 and it can
> now process the full template load.
>
> I think there is some confusion between DEFAULT_MAX_TEMPLATES templates,
> which appears to be intended to be a counter of the number of templates,
> however seems to actually be the maximum number of fields. There is also a
> value for DEFAULT_MAX_TEMPLATE_LEN which appears to be intended to be a
> counter of the number of template fields, possibly per template. The first
> template from the ASA in version 9 contains a large number of fields it
> can't be processed and it starts aborting immediately reporting the "forced
> deletion of template 0x0100 from peer" error.
>
> Unfortunately this is where the first ASA 9 patch begins and also ends. It
> will report all flows as 0 packet, 0 bytes. My next update should implement
> processing of update fields as Craig has proposed. It will work based on
> only processing update events [1] and by handling the two new ASA packet
> counters.
>
> Hopefully more to come this weekend.
>
> [1] http://zioncluster.ca/netflow/asa-9-patch-1.diff
> [2]
> http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/system/netflow/netflow.html#wp1028202
>
> -JohnF
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mindrot.org/pipermail/netflow-tools/attachments/20141108/782dbd15/attachment.html>