[netsa-tools-discuss] SiLK not accepting Cisco FTD/ASA flows

Wed Jul 16 13:18:00 EDT 2025

Restricted

Hi team,

My name is Difan, and I am currently setting up a Netflow server for my company. My background is in networking, so please forgive me if I ask any basic questions.

The system is up and running, and it works well with our Cisco and Juniper routers and switches. However, I am having trouble getting the Cisco FTD Firewall to work. (Cisco FTD is the newer version of the ASA.) I have followed the FAQ SiLK - FAQ<https://tools.netsa.cert.org/silk/faq.html#process-asa>, but it hasn't resolved the issue. Below are the relevant configurations from sensor.conf and silk.conf. The sensor for the firewall is named "rogersPrdFw".

--- sensor.conf ---
probe probe_rogersPrdFw netflow-v9
  listen-on-port 9988
  protocol udp
  accept-from-host 10.146.64.116
  quirks firewall-event zero-packets
end probe

--- silk.conf ---
sensor 5 rogersPrdFw "cgy-gca-r0306-01-ngfw-prd-ha"
class all
    sensors cvrlWanDist cvrlWanDistA netflow1cisco netflow2juniper rogersPrdFw
end class

I have also been reviewing the rwflowpack logs:
Jul 16 17:07:10 grfprd003z rwflowpack[3428204]: 'probe_rogersPrdFw': accepted connection from 10.146.64.116:60395, domain 000000
Jul 16 17:07:10 grfprd003z rwflowpack[3428204]: 'probe_rogersPrdFw': noticed disconnect by 10.146.64.116:19124
Jul 16 17:07:10 grfprd003z rwflowpack[3428204]: NetFlow V9 sequence number mismatch for domain 0x0000, expecting 0x0000 received 0x0001
Jul 16 17:07:10 grfprd003z rwflowpack[3428204]: Ignoring template 0x0100: Template warning: Illegal length 12 for information element ciscoNetflowGeneric
<repeating...>

The sequence number error always shows the expected value as one less than the received value in the repeated messages.

Here is a packet capture of the flow packets. It was collected earlier on a different port (2055), but everything else remains the same:
https://www.dropbox.com/scl/fi/8qlgu1h4zfrw77t3pejog/fw-2055.pcap?rlkey=vnzxvrqimrn7tszzi2qwjwsxt&st=4te8505g&dl=0

Any help or guidance would be greatly appreciated.

Thanks,
Difan

________________________________

---------------------------------------------------------
If you wish to no longer receive electronic messages from this sender, please respond and advise accordingly in your return email.

This email and its contents are private and confidential, for the sole use of the addressees. If you are not an intended recipient, copying, forwarding or other distribution of this email or its contents by any means is prohibited. If you believe that you received this email in error please notify the original sender and delete this communication and any copies immediately.

Petro-Canada is a Suncor Energy business.

150 - 6th Avenue S.W., Calgary, Alberta, Canada, T2P 3E3 (Corporate Head Office) / www.suncor.com

------------------------

Si vous ne voulez plus recevoir de messages ?lectroniques de cet exp?diteur, veuillez l'en aviser en r?pondant ? ce courriel.

Ce courriel et son contenu sont priv?s et confidentiels, et sont destin?s ? l'usage exclusif des destinataires. Si vous n'?tes pas le destinataire pr?vu, toute reproduction, transfert ou autre forme de diffusion de ce courriel ou de son contenu par quelque moyen que ce soit est interdit. Si vous croyez avoir re?u ce courriel par erreur, veuillez en aviser l'exp?diteur original et supprimer cette communication et toutes ses copies imm?diatement.

Petro-Canada est une entreprise de Suncor ?nergie.

150 - 6th Avenue S.W., Calgary, Alberta, Canada, T2P 3E3 (si?ge social) / www.suncor.com
-------------- next part --------------
HTML attachment scrubbed and removed