Cisco is always known for rapidly rolling out enhancements to their product portfolio, Cisco ASA 8.4(5) was recently released with a lot of features and security enhancements.

NetFlow Secure Event Logging (NSEL) is now enhanced and with the new Cisco 8.4(5) NSEL export, it is possible to visualize accurate IN and OUT traffic with ManageEngine NetFlow Analyzer.

Older IOS Version NSEL Limitation:

Cisco ASA monitoring through NSEL in its older version, had the following limitations:

1. The concept of ‘active time out’ and ‘inactive timeout’, which allows flow data export in a timely manner from IOS devices, was non-existent for NetFlow packets exported from the Cisco ASA. This removed the possibility of comparing NetFlow statistics with other bandwidth monitoring tools based on data polling in a timed manner.

2. Exporting of flow packets from the device was based on events triggered on the device (Flow creation, Denial of traffic etc).

3. The NetFlow packets exported from the Cisco ASA included bidirectional traffic information (i.e.) the return traffic of an initiated conversation was not accounted as a separate conversation.

Cisco ASA 8.4(5) Enhancements:-

With this latest IOS, here is the good side:

  1. Active timeout concept is now introduced with the current IOS version. This means that long-lived flows are exported based on the timeout set. By default 1 Minute has to be set for active timeout to get accurate stats on monitoring tools. Now, we can compare ASA traffic shown in NetFlow-based tools with other bandwidth monitoring tools based on data polling.
  1. New Firewall Event types and NAT (Network Address translation)are exported with this NSEL packets. You can see this Event type and NAT reports in ManageEngine NetFlow Analyzer. Click here to know where to generate these reports.
  2. Issues related bidirectional flows are fixed. NSEL packets export will have separate fields for both direction flows. This result in accurate traffic calculation in analyzing tool.

Refer this link to know the changes in NSEL export.

ManageEngine NetFlow Analyzer and Cisco ASA monitoring:

We have a lot of customers using the product for Cisco ASA Monitoring and now they can effectively use the product for accurate reporting and billing purposes by means of these enhancements with Cisco ASA IOS release.

After upgrading the IOS to latest version, there would be reporting issues in ManageEngine NetFlow Analyzer as there is a change in the exported NSEL fields. As a monitoring tool vendor, we are making sure that our customers are not impacted by these changes. We have a patch for NetFlow Analyzer 9.7 Build 9700 to fix this reporting issue, refer this link for more detail. After applying the patch, monitoring the Cisco ASA devices with IOS 8.4(5) and above can be monitored with ease.

 

Praveen Kumar

NetFlow Analyzer Technical Team

Download | Interactive Demo  | Twitter | Customers

 

vpraveenkumar@zohocorp.com
Member Leadership Staff

  1. Praveen Kumar V

    Yes, we have a fix for this ASA issue in 7.7 Build 7700, please email us your contact details to nfs@manageengine.com, we will send you a fix.

  2. William Rector

    Running ASA5510s, and recently upgraded to code version 9.1(2).
    This release seems to have introduced the same Netflow changes at the 8.4(5) listed above.
    We are running the 7700 version of Netflow Analyzer EE central reporting server with 7700 of the collector.
    Is there a fix available for the EE version of the Netflow tool?