I just saw a tweet asking how NetFlow is handled on the ASA. Since Scrutinizer handles the flow from the ASA, I thought I would post the information I have from Cisco explaining how NetFlow is handled in the ASA.
The ASA only supports NetFlow version 9 and there are no plans to support NetFlow version 5. NetFlow on the ASA is event driven. Unlike routing platforms we do not send incremental updates; NSEL records are only sent during flow creation, teardown or ACL deny events. This is an issue as many customers expect to see flow information in real time, unfortunately this is not how NetFlow operates on the ASA. The total bytes transferred can only be seen after the flow is torndown and the NSEL has been generated. Also unlike the routing platforms we will not populate the ToS bits or the TCP flags. Lastly, all flows on the ASA are bidirectional. All counters for a flow will increase for traffic flowing from A->B or B->A.
- Template refresh records can only be sent based on time intervals, not based on number of data records. (Learn how to configure your ASA template intervals)
- NetFlow records can not be seen live on the ASA as data is collected.
- NetFlow has a significant performance impact, but it should not be any worse than normal syslog operations of the same information. There will be an uptick in memory but it should also be minimal. NetFlow configured with overlapping syslogs can cause a significant performance hit.
A lot of customers are accustomed to the operations of NetFlow on Cisco Routers and wish to implement NetFlow to see who is using bandwidth on the network. Unfortunately NetFlow on the ASA does not provide the ability to see this data in realtime. The data can be collected after the flow has been terminated and analyzed but we do not support real time viewing of the NetFlow records.”
The good news is that you can start to see traffic patterns from the ASA and utilize the Netflow information from the ASA. You can also combine the syslog monitoring with Logalot to get a better view of all of your ASA events.”
Read about configuring NetFlow on the ASA.
May 29th, 2012 Cisco ASA UPDATE: New Cisco NSEL Reports in Scrutinizer v9. Check them out.