Hello, I have a Cisco ASA configured to send Netflow to an instance of nprobe, and then on to ntopng. The configuration is working, however I have noticed that nprobe is only emitting flows when it receives a flow-teardown event from the ASA. This is causing inaccurate bandwidth reporting for long-lived flows as the total byte count is being recorded as a single spike once the flow is torn down.
My understanding is that Cisco ASA netflow is very non-standard and that this behaviour used to be expected on older version of ASA. However, newer versions of ASA are capable of sending flow-update events using a refresh-interval for active flows. When I run tcpdump on my nprobe server I can see the flow-create and flow-update events being sent from the ASA, however nprobe does not seem to use these events, or act on them in any way. I have enabled verbose logging, but can only see logs being generated for flow-teardown events, not flow-create or flow-update. My question is, should I expect nprobe to use the flow-updates from Cisco ASA for long-lived active flows, or is it normal for it to only process flow-teardown events? Nprobe (dev build v.8.1.170626) is running in collector mode with the following settings: --zmq="tcp://*:5559" --collector-port=2055 -i=none -n=none Regards, Pelham This electronic mail is solely for the use of the addressee and may contain information which is confidential or privileged. If you receive this electronic mail in error, please delete it from your system immediately and notify the sender by electronic mail. Any opinion expressed in this email is not represented as the opinion of Australian Communication Exchange Limited unless that is stated or apparent from its terms.
_______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
