Hi there all! Another week is coming to close and I hope its been a good one. With the Cisco ASA being the hot topic for the past couple months, I wanted to share this blog with you.
This is a very important topic, since this will help you understand how the ASA reports conversations differently from other switch/router counterparts. Let’s take a look:
Undirectional NetFlow:
Traditionally, NetFlow is a unidirectional technology. As an example, when host A sends traffic to host B, this will create a single flow. When host B replies, a second flow is created within the router cache. So using that example, conversation A –> B creates a flow of 500kb. The return reply from B –> A will create a separate flow of 75kb.
Bidirectional NetFlow:
As of today, I’ve only ever seen bidirectional flows from the Cisco ASA. To summarize though: instead of getting two flows as illustrated above, you will only get one flow from the host who initiated the conversation. However, within that one flow, you will have the correct total of traffic for the connection and reply. So take the conversation I used in the example of Unidirectional Flows: A –>B = 500kb, B –> A = 75kb
Since there is only one flow created, this one flow will present the total of 575kb, A –> B = 575kb, instead of breaking into two summaries.
This is a strange way of rendering a flow, if you want my opinion. I’m not sure why Cisco decided to implement this, since it makes it tougher to figure out the flow direction.
“So this 575kb conversation, is this from A –> B or is this B –> A?”
Regardless,we should be grateful to have a firewall exporting NetFlow in the first place and I’m sure everyone else feels the same way…
If you would like more information regarding the unique properties of the ASA, please give us a call and we’ll be happy to help.
Ryan
For a free 30 day trial of Scrutinizer, Download Now!
Sign up for Advanced NetFlow Training™ coming to a city near you!
Read more »
