Cisco ASA NetFlow overview
NetFlow configuration of and operations for Adaptive Security Appliance (ASA) devices is different from typical NetFlow. ASA devices began supporting NetFlow as of ASA software version 8.1(2), but there were several issues with that release. Version 8.2(2) and later releases provide a more robust NetFlow implementation. This paper aims to provide guidance and insight for the implementation, interpretation, and troubleshooting of NetFlow on ASA appliances. The goal of this paper is to highlight and explain the important information about ASA NetFlow, allowing you to implement ASA NetFlow with confidence.
The following table explores some of the main differences between ASA NetFlow and most other NetFlow Implementations.
|Version support||V5 and v9||
V9 with fixed templates
|Flow export trigger||
TCP RST or FIN flags detected, flow timers, cache full
Network Security Event
Logging (NSEL) detects a state change in a flow
Independent CLI commands or SNMP set commands
Independent CLI for templates and commands
Modular policy framework for flow definitions
|NetFlow show commands||Expose detailed interface and exporter statistics||
Limited, see ASA Command Reference
|Interface ingress and egress|| All flows are shown without a direction marker
(Also referred to as bidirectional)
Terms specific to NetFlow v9 and the ASA implementation
The ASA device is the NetFlow exporter. NTA is the NetFlow collector. A flow template is exported by the NetFlow exporter and sent to the NetFlow collector. Templates are used as parsers by the collector to define fields in the flow data exports. Templates carry no actual flow data. Templates only tell the collector how to interpret flow data. NetFlow v9 uses flow templates to define flow data similar to how SNMP uses MIBS to define SNMP data. Flow data packets carry only flow information.
Templates and flow data are never mixed in a single packet. Both flow data packets and flow template packets must be received by the NetFlow collector in order to display ASA NetFlow information in the SolarWinds Platform Web Console. Both template packets and flow data packets can contain up to 30 separate records. These records are sometimes referred to as Protocol Data Units (PDUs).
Network Security Event Logging (NSEL) is the method ASAs use to trigger flow exports. Three event types are defined by NSEL:
- Flow creation
- Flow denial
- Flow teardown
For information on Configuring Cisco ASA, see NetFlow Configuration Example - Cisco ASA.