Cisco ASA NetFlow overview

NetFlow configuration of and operations for Adaptive Security Appliance (ASA) devices is different from typical NetFlow. ASA devices began supporting NetFlow as of ASA software version 8.1(2), but there were several issues with that release. Version 8.2(2) and later releases provide a more robust NetFlow implementation. This paper aims to provide guidance and insight for the implementation, interpretation, and troubleshooting of NetFlow on ASA appliances. The goal of this paper is to highlight and explain the important information about ASA NetFlow, allowing you to implement ASA NetFlow with confidence.

The following table explores some of the main differences between ASA NetFlow and most other NetFlow Implementations.

Feature Typical NetFlow

ASA NetFlow

Version support V5 and v9

V9 with fixed templates

Flow export trigger

TCP RST or FIN flags detected, flow timers, cache full

Network Security Event

Logging (NSEL) detects a state change in a flow

Implementation

Independent CLI commands or SNMP set commands

Independent CLI for templates and commands

Modular policy framework for flow definitions

NetFlow show commands Expose detailed interface and exporter statistics

Limited, see ASA Command Reference

Directionality

Interface ingress and egress All flows are shown without a direction marker
(Also referred to as bidirectional)

Terms specific to NetFlow v9 and the ASA implementation

The ASA device is the NetFlow exporter. SolarWinds NTA is the NetFlow collector. A flow template is exported by the NetFlow exporter and sent to the NetFlow collector. Templates are used as parsers by the collector to define fields in the flow data exports. Templates carry no actual flow data. Templates only tell the collector how to interpret flow data. NetFlow v9 uses flow templates to define flow data similar to how SNMP uses MIBS to define SNMP data. Flow data packets carry only flow information.

Templates and flow data are never mixed in a single packet. Both flow data packets and flow template packets must be received by the NetFlow collector in order to display ASA NetFlow information in the Orion Web Console. Both template packets and flow data packets can contain up to 30 separate records. These records are sometimes referred to as Protocol Data Units (PDUs).

Network Security Event Logging (NSEL) is the method ASAs use to trigger flow exports. Three event types are defined by NSEL:

  • Flow creation
  • Flow denial
  • Flow teardown