« Scrutinizer v7 NetFlow and sFlow Analyzer: Setting up Flow Analytics
Identify more than just the ingress and egress packet throughput on your ASA Firewall »

Cisco ASA NetFlow supports bidirectional flows

Posted in ASA, NetFlow, NetFlow Analyzer, Network Health Report, Scrutinizer on October 14th, 2009 by jimmyd
cisco-asa-netflow-supports-bidirectional-flows

If you are running Scrutinizer v7.01, the Cisco ASA interfaces don’t show up in the Status tab yet. It was a philosophical decision. Here’s why:

The ASA running v8.2.1 exports bidirectional NetFlow!  This is unlike anything else we’ve seen.  In nearly all NetFlow exports v5, v9, IPFIX etc. flows are exported in one direction (i.e. A -> B and then a separate flow for B -> A).   This is true for ingress or egress NetFlow. For Example: lets say A -> B creates a flow of 200KB.  Then in return:  B -> A causes a 2nd flow of 40KB. Well, the developers of the ASA decided to be unique and add the two flows together and export A -> B 240KB!!!!  The two added to each other is called a bidirectional flow.

Because of this, when we calculate the percent utilization using NetFlow (i.e. not SNMP) by adding the total flows together we overstate InBound/OutBound utilization in the Status tab. We are talking with Cisco about this unconventional export method. We have no definitive news yet.

NOTE: The ASA also doesn’t support an Active Timeout causing huge spikes in the graphs and thus making network traffic analysis kind of tricky when traffic that occurred over several minutes shows up in a single minute!

If you are seeing some screwy results with ASA and NSEL, the above is why. Anyway, everyone can blame Mike for not sticking the data in the Status tab!

Here is a pic of our  ASA:

Our Cisco ASA

Need help configuring NetFlow export from the ASA?  You can also setup NetFlow exports up using Cisco ASDM. Make sure you have watched the Cisco ASA and NetFlow training video.

____________________________________
Jim Dougherty aka "Jimmy D"
Lead PreSales Support Engineer and
Netflow Evangelist for Plixer International!

Follow me on Twitter
http://twitter.com/jimmydnet
____________________________________
Share and Enjoy:
  • Digg
  • StumbleUpon
  • Reddit
  • del.icio.us
  • Facebook
  • Yahoo! Buzz
  • Google Bookmarks
  • Technorati
  • Twitter
  • email
  • Print
Tags: , , , , , , , ,

This entry was posted on Wednesday, October 14th, 2009 at 3:47 pm and is filed under ASA, NetFlow, NetFlow Analyzer, Network Health Report, Scrutinizer. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

2 Responses to “Cisco ASA NetFlow supports bidirectional flows”

  1. McBean Says:
    November 20th, 2009 at 12:40 pm

    How do we really know that is a picture of your ASA? It could be any ASA! Please post another picture with the ASA holding today’s newspaper!

  2. mike@plixer.com Says:
    November 21st, 2009 at 5:28 am

    We have been getting a few calls with questions on the uniqueness of the NetFlows exported by the Cisco ASA. Check out this PDF:
    http://www.plixer.com/files/netflow-on-the-asa-11-18-09.pdf

Leave a Reply