Pelham,
ASA flow-updates are received and processed by nprobe. However, I am not
sure they contain all the necessary information required to properly update
flow statistics. Can you please generate and send a .pcap capture file of
your ASA netflow (make sure it contains both templates and data records for
flow-updates and flow-teardown) for our inspection?
By the way, nprobe gives you a couple of configurable timeout that you can
use to periodically export long-lived flows:
[--lifetime-timeout|-t] <timeout> | It specifies the maximum (seconds)
flow
| lifetime [default=120]
[--idle-timeout|-d] <timeout> | It specifies the maximum (seconds)
flow
| idle lifetime [default=30]
Regards,
Simone
On Wed, Jun 28, 2017 at 2:38 AM, Pelham Whitmore <
pelham.whitm...@aceinfo.net.au> wrote:
> Hello,
>
>
>
> I have a Cisco ASA configured to send Netflow to an instance of nprobe,
> and then on to ntopng.
>
> The configuration is working, however I have noticed that nprobe is only
> emitting flows when it receives a flow-teardown event from the ASA. This is
> causing inaccurate bandwidth reporting for long-lived flows as the total
> byte count is being recorded as a single spike once the flow is torn down.
>
>
>
> My understanding is that Cisco ASA netflow is very non-standard and that
> this behaviour used to be expected on older version of ASA. However, newer
> versions of ASA are capable of sending flow-update events using a
> refresh-interval for active flows. When I run tcpdump on my nprobe server I
> can see the flow-create and flow-update events being sent from the ASA,
> however nprobe does not seem to use these events, or act on them in any
> way. I have enabled verbose logging, but can only see logs being generated
> for flow-teardown events, not flow-create or flow-update.
>
>
>
> My question is, should I expect nprobe to use the flow-updates from Cisco
> ASA for long-lived active flows, or is it normal for it to only process
> flow-teardown events?
>
>
>
> Nprobe (dev build v.8.1.170626) is running in collector mode with the
> following settings:
>
>
>
> --zmq="tcp://*:5559"
>
> --collector-port=2055
>
> -i=none
>
> -n=none
>
>
>
>
>
>
>
> Regards,
>
> Pelham
>
>
>
>
>
> ------------------------------
>
> This electronic mail is solely for the use of the addressee and may
> contain information which is confidential or privileged. If you receive
> this electronic mail in error, please delete it from your system
> immediately and notify the sender by electronic mail. Any opinion expressed
> in this email is not represented as the opinion of Australian Communication
> Limited unless that is stated or apparent from its terms.
> ------------------------------
>
>
> _______________________________________________
> Ntop mailing list
> Ntop@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop
>
_______________________________________________
Ntop mailing list
Ntop@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop
