[netsa-tools-discuss] rwflowpack with Cisco ASA (netflow9) issue

Evgeniy Sudyr eject.in.ua at gmail.com
Thu Sep 10 12:24:23 EDT 2015 

Hi I seen someone got ASA netflow working with rwflowpack there
http://comments.gmane.org/gmane.comp.networking.netsa.tools/107 .

I'm trying to get it working in lab with ASA5515-X (Netflow V9), and my
config looks good
however I'm getting no data, but errors in log.

After start rwflowpack catches template packet and starts complaining.

Log:

Sep 10 18:14:56 debian rwflowpack[39558]:
IGNORED|192.168.0.248|85.126.xx.xx|52006|80|6|0|0|no forward/reverse octets|
Sep 10 18:14:56 debian rwflowpack[39558]:
IGNORED|178.124.xx.xx|185.56.xx.xx|63034|1777|6|0|65|no forward/reverse
packets|
Sep 10 18:14:56 debian rwflowpack[39558]:


I'm starting rwflowpack with:

rwflowpack --input-mode=stream --sensor-configuration=/opt/silk/sensor.conf
--root-directory=/opt/silk/data/ --compression-method=best
--site-config-file=/opt/silk/silk.conf --log-destination=/opt/silk/silk.log

$ cat silk.conf

version 2
sensor 0 S0    "Description for sensor S0"
sensor 1 S1
sensor 2 S2    "Optional description for sensor S2"
sensor 3 S3
sensor 4 S4
sensor 5 S5
sensor 6 S6
sensor 7 S7
sensor 8 S8
sensor 9 S9
sensor 10 S10
sensor 11 S11
sensor 12 S12
sensor 13 S13
sensor 14 S14
class all
    sensors S0 S1 S2 S3 S4 S5 S6 S7 S8 S9 S10 S11 S12 S13 S14
end class
class all
    type  0 in      in
    type  1 out     out
    type  2 inweb   iw
    type  3 outweb  ow
    type  4 innull  innull
    type  5 outnull outnull
    type  6 int2int int2int
    type  7 ext2ext ext2ext
    type  8 inicmp  inicmp
    type  9 outicmp outicmp
    type 10 other   other
    default-types in inweb inicmp
end class
default-class all
packing-logic "packlogic-twoway.so"


$ cat sensor.conf

group G1
     ipblocks 192.168.0.0/16 10.0.0.0/8
end group

probe P1 netflow-v9
        listen-on-port 9996
        protocol udp
        accept-from-host 192.168.1.1
        log-flags bad
end probe

sensor S0
      netflow-v9-probes P1
      internal-ipblocks 192.168.0.0/16 10.0.0.0/8
      external-ipblocks remainder
end sensor


Any help is appreciate!

Working configs for ASA and Netflow v9 will help much more.

--
With regards,
Evgeniy
-------------- next part --------------
HTML attachment scrubbed and removed

More information about the netsa-tools-discuss mailing list