SolarWinds Technical Reference



Similar documents
SolarWinds Technical Reference

SolarWinds Technical Reference

SolarWinds Technical Reference

SolarWinds Technical Reference

Configuring and Integrating JMX

Migrating Cirrus. Revised 7/19/2007

Configuring NetFlow Secure Event Logging (NSEL)

Configuring WMI on Windows Vista and Windows Server 2008 for Application Performance Monitor

SolarWinds Technical Reference

SolarWinds Technical Reference

Configuring NetFlow Secure Event Logging (NSEL)

Configuring and Integrating MAPI

Cisco ASA and NetFlow Using ASA NetFlow with LiveAction Flow Software

SolarWinds Technical Reference

SolarWinds. Understanding SolarWinds Charts and Graphs Technical Reference

SolarWinds Technical Reference

Configuring and Integrating Oracle

Using SolarWinds Orion for Cisco Assessments

SolarWinds Orion Integrated Virtual Infrastructure Monitor Supplement

SolarWinds Technical Reference

SolarWinds Toolset Migrating Guide

SolarWinds Migrating SolarWinds NPM Technical Reference

SolarWinds. Packet Analysis Sensor Deployment Guide

Using SolarWinds Log and Event Manager (LEM) Filters and Alerts

SolarWinds. NetFlow Traffic Analyzer. Evaluation Guide. Version 4.2

SolarWinds Toolset Quick Start Guide

Networking Fundamentals Part of the SolarWinds IT Management Educational Series

SolarWinds Scalability Engine Guidelines for SolarWinds Products Technical Reference

SOLARWINDS ORION. Patch Manager Evaluation Guide for ConfigMgr 2012

SolarWinds Technical Reference

DameWare Server. Administrator Guide

AKIPS Network Monitor User Manual (DRAFT) Version 15.x. AKIPS Pty Ltd

Technical Notes P/N Rev 01

Copyright 2015 SolarWinds Worldwide, LLC. All rights reserved worldwide. No part of this document may be reproduced by any means nor modified,

Cisco IOS Flexible NetFlow Command Reference

NetFlow Auditor Manual Getting Started

Managing Orion Performance

AKIPS Network Monitor Installation, Configuration & Upgrade Guide Version 15. AKIPS Pty Ltd

SolarWinds Toolset Quick Start Guide

LogLogic Cisco NetFlow Log Configuration Guide

SolarWinds Technical Reference

RSA Security Analytics Netflow Collection Configuration Guide

RSA Security Analytics Netflow Collection Configuration Guide

SolarWinds Technical Reference

Table of Contents. Contents

HyperFS PC Client Tools

How To Set Up A Server On A Windows 7.5 (Windows) With A Powerline (Windows 7) On A Pc Orion (Windows 8) On An Ipm (Networking) On Your Pc Ornet (Netware)

Blue Coat Systems. Client Manager Redundancy for ProxyClient Deployments

AKIPS Network Monitor Installation, Configuration & Upgrade Guide Version 16. AKIPS Pty Ltd

System Management Console User Guide

Event Manager. LANDesk Service Desk

Integrated Traffic Monitoring

CA Nimsoft Monitor. Probe Guide for Performance Collector. perfmon v1.5 series

Web Security Firewall Setup. Administrator Guide

LogLogic Cisco NetFlow Log Configuration Guide

Using The Paessler PRTG Traffic Grapher In a Cisco Wide Area Application Services Proof of Concept

Monitoring and analyzing audio, video, and multimedia traffic on the network

WhatsUpGold. v NetFlow Monitor User Guide

SolarWinds Technical Reference

Blue Coat Systems. PacketShaper Redundant Setup

SOLARWINDS ORION. Patch Manager Administrator Guide

Cisco UCS Director Payment Gateway Integration Guide, Release 4.1

Configuring NetFlow-lite

SolarWinds LANsurveyor LANsurveyor Express Administrator Guide

ProxySG TechBrief Implementing a Reverse Proxy

J-Flow on J Series Services Routers and Branch SRX Series Services Gateways

Configuring and Monitoring SNMP Generic Servers. eg Enterprise v5.6

NetFlow v9 Export Format

SolarWinds Orion VoIP Monitor Administrator Guide

SolarWinds Orion NetFlow Traffic Analyzer Administrator Guide

Blue Coat Systems. Reference Guide. WCCP Reference Guide. For SGOS 5.3

SolarWinds Firewall Security Manager Quick Start Guide

Configuring SNMP and using the NetFlow MIB to Monitor NetFlow Data

About the Authors. About the Authors

CHAPTER 1 WhatsUp Flow Monitor Overview. CHAPTER 2 Configuring WhatsUp Flow Monitor. CHAPTER 3 Navigating WhatsUp Flow Monitor

Cisco TelePresence Management Suite Extension for Microsoft Exchange Version 4.0

CA Nimsoft Monitor. snmpcollector Release Notes. All versions

Lab Characterizing Network Applications

Secure Web Gateway 11.7 Upgrade Release Notes

NetFlow/IPFIX Various Thoughts

Symantec Event Collector for Cisco NetFlow version 3.7 Quick Reference

Integrated Citrix Servers

Sampled NetFlow. Feature Overview. Benefits

There are numerous ways to access monitors:

Symantec Client Firewall Policy Migration Guide

Using Self Certified SSL Certificates. Paul Fisher. Quest Software. Systems Consultant. Desktop Virtualisation Group

Integrated Cisco Products

Integrated Traffic Monitoring

TelePresence Migrating TelePresence Management Suite (TMS) to a New Server

IBM WebSphere Application Server Communications Enabled Applications

Cisco TelePresence Management Suite Extension for Microsoft Exchange Version 4.0.1

JetAdvice Manager Data Collector v Date:

Introduction to Cisco IOS Flexible NetFlow

AppResponse Xpert Release Notes Product Release 8.6.8

SolarWinds Certified Professional. Exam Preparation Guide

SOLARWINDS ORION. Patch Manager Evaluation Guide

NetFlow Tracker Overview. Mike McGrath x ccie CTO mike@crannog-software.com

Transcription:

SolarWinds Technical Reference Understanding Cisco ASA NetFlow Cisco Adaptive Security Appliance (ASA) NetFlow Overview... 3 Understanding the Implementation Requirements... 4 Troubleshooting ASA NetFlow... 6 This Technical Reference focuses in Cisco s implementation of NetFlow for ASA devices. network management simplified - solarwinds.com

2 Understanding Cisco ASA NetFlow Copyright 1995-2011 SolarWinds. All rights reserved worldwide. No part of this document may be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the written consent of SolarWinds. All right, title and interest in and to the software and documentation are and shall remain the exclusive property of SolarWinds and its licensors. SolarWinds Orion, SolarWinds Cirrus, and SolarWinds Toolset are trademarks of SolarWinds and SolarWinds.net and the SolarWinds logo are registered trademarks of SolarWinds All other trademarks contained in this document and in the Software are the property of their respective owners. SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON SOFTWARE AND DOCUMENTATION FURNISHED HEREUNDER INCLUDING WITHOUT LIMITATION THE WARRANTIES OF DESIGN, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS OR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Microsoft and Windows 2000 are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Graph Layout Toolkit and Graph Editor Toolkit 1992-2001 Tom Sawyer Software, Oakland, California. All Rights Reserved. Portions Copyright ComponentOne, LLC 1991-2002. All Rights Reserved. Document Revised: 04/29/2011

Understanding Cisco ASA NetFlow 3 Cisco Adaptive Security Appliance (ASA) NetFlow Overview NetFlow configuration of and operations for ASA devices is very different from typical NetFlow. ASA devices began supporting NetFlow as of ASA software version 8.1(2), but there were several issues with that release. The 8.2(2), and later, releases provide a much more robust NetFlow implementation. An Internet search for ASA NetFlow yields a mountain of information, and if you are not familiar with NetFlow v9 or ASAs it can be information overload. This paper is aimed at providing guidance and insight for the implementation, interpretation, and troubleshooting of NetFlow on ASA appliances. The goal of this paper is to highlight and explain the important information about ASA NetFlow, allowing you to implement ASA NetFlow with confidence. The following table explores some of the main differences between ASA NetFlow and most other NetFlow Implementations. Feature Typical NetFlow ASA NetFlow Version support V5 and v9 V9 with fixed templates Flow export trigger Implementation NetFlow show commands TCP RST or FIN flags detected, flow timers, cache full Independent CLI commands or SNMP set commands Expose detailed interface and exporter statistics Network Security Event Logging (NSEL) detects a state change in a flow Independent CLI for templates commands, modular policy framework for flow definitions Limited See ASA Command Reference Directionality Interface ingress and egress All flows are shown without a direction marker (Also referred to as bidirectional) Here is a brief description of the terms specific to NetFlow v9 and the ASA implementation. The ASA device is the NetFlow exporter. The Orion NetFlow Traffic Analyzer is the NetFlow collector. A flow template is exported by the NetFlow exporter and sent to the NetFlow collector. Templates are used as parsers by the collector to define fields in the flow data exports. Templates carry no actual flow data; they only tell the collector how to interpret flow data. NetFlow v9 uses flow templates to define flow data similar to how SNMP uses MIBS to define SNMP data. Flow data packets carry only flow information. Templates and flow data are never mixed within a single packet. Both flow data packets and flow template packets must be received by the NetFlow collector in order to display ASA NetFlow information on the NetFlow Traffic Analyzer web console. Both template packets and flow data packets can contain up to 30 separate records. These records are sometimes referred to as Protocol Data Units (PDUs). Network Security Event Logging (NSEL) is the method ASAs use to trigger flow exports. Three event types are defined by NSEL: Flow creation Flow denial Flow teardown

4 Understanding Cisco ASA NetFlow Understanding the Implementation Requirements Syntax Conventions - The below commands follow these conventions: Braces ({ }) indicate a required choice. Square brackets ([ ]) indicate optional elements. Boldface indicates commands that should be entered exactly as shown. Italics indicate arguments for which you must supply values. Note: When implementing ASA NetFlow this paper should be used only in conjunction with the step-bystep instruction provided in the SolarWinds KB Configuring Cisco ASA devices for use with Orion NTA For an ASA device to export NetFlow data, the ASA must be configured with specific commands. Some of these commands are independent CLI commands, meaning that the commands are not dependent on other commands in terms of order or precedence. Before an ASA can be added to NTA it must first be managed by Orion. This will require the normal steps to adding a node in Orion and the Orion server must be a known host to the ASA SNMP server. The following command must be placed on the ASA config before adding the ASA in Orion. (config)# snmp-server host {InterfaceName} {OrionServerIPAddress} community {ReadonlyCommunityString} The independent CLI commands are used to configure the export of flow templates only. These commands are: (config)# flow-export destination {InterfaceName} {OrionServerIPAddress} 2055 (config)#flow-export template timeout-rate {#Minutes} (config)# flow-export delay flow-create {#Seconds} The first command is mandatory and starts the export of flow templates to the collector. To export to multiple collectors, repeat this command with once for each collector, using a unique collector s IP address each time. The second and third commands are used to alter template timers from their default values. The next set of commands implements the flow exports using Cisco s Modular Policy Framework. Modular Policy Framework is used to implement several security and QoS features and it consists of the following three entities: Traffic identification using a class map Actions to be taken as described by a policy map Application of the policy to an interface using a service policy

Understanding Cisco ASA NetFlow 5 Because of the inherent hierarchy in this configuration, the commands are not independent. You cannot create a policy map without an existing class map and the service policy is dependent on both class and policy maps being in place. Depending on the software version there are six to seven individual commands that implement the three mappings. These are: (config)# access-list netflow-export extended permit ip any any (config)# class-map netflow-export-class (config-cmap)# match access-list netflow-export (config)# policy-map {existing global policy map name} (config-pmap)# class netflow-export-class (config-pmap-c)# flow-export event-type all destination {OrionServerIPAddress} This command can be used to export flows to one or more NetFlow collectors. To export to multiple collectors either repeat this command with a unique collector IP address each time, or issue the command once leaving a space between each collector s unique IP address at the end of the command. For example (config-pmap-c)# flow-export event-type all destination 10.110.21.5 (config-pmap-c)# flow-export event-type all destination 10.110.21.65 Or (config-pmap-c)# flow-export event-type all destination 10.110.21.5 10.110.21.65 Support for multiple collectors may vary by ASA version. Version 8.1 exporters require the flow-export enable command. This command was deprecated in version 8.2. This command is independent of other commands and is entered at the (config) prompt.

6 Understanding Cisco ASA NetFlow The last step in Modular Policy Framework is normally to map the policy to an interface. With ASA NetFlow this is achieved differently. The existing global policy is already mapped to the service policy. So by referring to the existing global policy the connection is made. Service policy commands to map the NetFlow policy to a particular interface directly are not supported in ASAs. The NetFlow policy map is linked to the global policy and the global policy s service policy and applied to all interfaces automatically. It can be difficult to remember the format for these commands and where hyphens should be used. The rule for hyphen use is that if there are two or more words that specify a single entity or a single action, they are hyphenated. For example, a class map is a single entity; therefore it is specified as class-map in CLI. Netflow-export-class refers to the class defined in the (config)# class-map netflow-exportclass command and so is also a single entity. Flow-export specifies a single action as does flow-create and are hyphenated as well. Troubleshooting ASA NetFlow General NetFlow Troubleshooting 1. On the NTA Summary view of the Web Console, the NetFlow Collector Service resource status icon should be up (green). If it is not go to Administrative Tools > Services and start the service. 2. The NetFlow Sources resource should list the device sending NetFlow. If it does, click the plus icon and drill down to the interfaces. If it does not list the device, ensure the device is being managed by Orion and check NetFlow Settings to see if the device is a listed NetFlow Source. If it is not a listed source and not managed by Orion, add the device to Orion, and then add it to NetFlow Sources. If the interface shows up after drilling down, check the time on the last received NetFlow column. If the time listed is current then click on the interface name to see the data. If the time is old or says never proceed to the next step. 3. Start a packet capture program on the Orion server s LAN interface. Capture packets for a couple of minutes and then sort by source IP and look for the NetFlow exporter s IP address (source IP) with cflow protocol packets. If there are no cflow packets coming from the exporter check the exporter using the show flow export counters commands. The flow counters should be non-zero and should increment when this command is reissued. Make sure the IP source address of the exporter in the capture is the same IP address that Orion is using to manage the ASA.

Understanding Cisco ASA NetFlow 7 ASA Specific Troubleshooting Check the packet capture for template packets and data packets. Both are classified as cflow protocol. ASA devices export thirteen templates. You can normally identify template packets by the record count of thirteen. Depending on the traffic load on the exporter, data packets may have various record counts. To confirm the packet type, expand the flowset section of the packet.

8 Understanding Cisco ASA NetFlow If you only see template packets and no data packets, ASA exporter may be misconfigured. Check the ASA Modular Policy Framework configuration for errors, typos, or missing commands. If the exporter configuration is correct, check the network path from the ASA for possible firewalls or other devices interfering with the export delivery. If you are seeing data packets only and no template packets there are two probable causes. The packet capture may have been too short resulting in a valid template not being captured. This can be seen by expanding the data packets and finding a no template error. If this is the case check the exporter for the (config)#flow-export template timeout-rate 1 command. The default timeout is 30 minutes which may cause the templates to be dropped from the collector s memory. Template packets are only 1K so increasing the timeout to 1 minute has no adverse effect on the network. Running a capture for more than 1 minute will then ensure that templates are collect as well as data.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information