Hello,
I am using a Cisco ASA 5510 and PRTG to monitor it. It works well with sensors configured using SNMP (SNMP Cisco ASA VPN users etc...) but I have configured ASA to export Netflow and it looks like something is wrong.
ASA only support Netflow V9 so, I used this sensor template. I tried wireshark and I can see the UDP packets on the target machine, then I tried Netflow tester (https://www.paessler.com/tools/netflowtester) and seems data has been arrived to the application layer as well.
The only difference was that the configuraion example below suggest to set Active Timout to zero but I couldn't manage it, so I have used one (1). It should not be a problem as far as I know ASA does not support this feature, but it just makes disfiguring on the graphs. https://helpdesk.paessler.com/en/support/solutions/articles/76000041690-how-to-monitor-cisco-asa-firewalls-using-netflow-9-and-prtg
This device working as a VPN GW so 99% of the connections going through an L2L VPN. The ASA encrypt/decrypt these connections so I can see them in the connection list but not a single data in the PRTG.
Does anybody has any idea what is the problem?
OS.: Windows 2012 server PRTG ver. 16.3.24.5302 Template: Netflow V9 ASA ver. 9.1.(4)
Article Comments
Hello!
We have solved the problem. First of all. The server received netflow v9 packets but the decoded side was empty. The reason of this was the following config on the ASA:
- flow-export template timeout-rate 1
- flow-export delay flow-create 20 Because of this config ASA sends netflow packets even if these were "empty". So there was no usefull data in these. Because of the ASA SW version we have to use the following command in global configuration mode: flow-export enable.
It does not show up in the running-config after all and makes a config change under the global policy-map default class. ASA does not support service-policy regarding netflow, just the global policy. After all we have deleted thos default class and makes our own under global-policy map.
Here is the working configuration:
access-list NETFLOW-EXPORT extended permit ip [source] [destiantion] ! flow-export destination inside [destination IP] [destination port] flow-export template timeout-rate 1 flow-export delay flow-create 20 flow-export enable ! logging flow-export-syslogs disable ! class-map NetFlow-traffic match access-list NETFLOW-EXPORT ! policy-map global_policy class NetFlow-traffic flow-export event-type all destination [destination IP]
Thank you for your help.
BR, Sandor
Aug, 2016 - Permalink
Hello Sandor,
Thank you very much for sharing your findings! I'm sure that this will help other users a lot!
Best regards, Felix
Aug, 2016 - Permalink
Hello Sandor,
Please run the Netflow testing again and forward a screenshot of the results. This will help us to determine if the flows can be used in PRTG.
Best regards, Felix
Aug, 2016 - Permalink