Tech Tips: ASA Firewall IOS version 8.4.5 and newer show no data in RA/NFA.

Document created by Christopher_Walsh Employee on Aug 7, 2014Last modified by Christopher_Walsh Employee on Oct 24, 2014
Version 5Show Document
  • View in full screen mode

Problem:

There is a known issue with Cisco ASA Firewall devices with an IOS version of 8.4.5 and newer where NetFlow data will not be displayed.

This is caused by a change in the way Cisco sends NetFlow data from newer ASA Firewall devices.

 

They specifically have converted the "Octects" field into two new files called, "231 - FW_INITIATOR_OCTETS" and "232 - FW_RESPONDER_OCTETS".

 

These fields were meant to give directionality to the NetFlow data, however RA/NFA does not yet recognize these as valid netflow fields and discards the data.

 

In the link below, we document the required fields needed in order to properly display NetFlow data in RA/NFA and how to verify that data:

https://communities.ca.com/web/ca-ehealth-and-ca-spectrum-global-user-community/message-board/-/message_boards/message/101607826?&#p_19

 

If you follow the steps from the doc above to run and decode the NetFlow from an ASA firewall you will see that there is no field called just "Octects" which is the reason why data is discarded.

 

Solution:

This has been fixed with the release of NFA 9.2.1 Released on October 17th, 2014.

We now support the two new NetFlow fields "231 - FW_INITIATOR_OCTETS" and "232 - FW_RESPONDER_OCTETS".

 

If you have ASA devices you wish to monitor please upgrade to 9.2.1, if you are still on 9.1.3 you should stop sending NetFlow from any ASA device until you upgrade to 9.2.1 as it can cause data loss for other interfaces.

 

The official 9.2.1 Release Announcement here here CA Network Flow Analysis r9.2.1 General Availability

 

The link to the 9.2.1 Bookshelf can be found here.

Attachments

    Outcomes