Showing results for 
Show  only  | Search instead for 
Did you mean: 

NPM Netflow Cisco ASA 5525 Firewall



Has a netflow feed from a Cisco 5525 been tested? would taking data from this source not import correctly or would this need an API to use the netflow data ?


The following is sample output from the show flow-export counters command, which shows runtime counters that are associated with NetFlow data:
ciscoasa# show flow-export counters destination: inside 2055 Statistics: packets sent 1000 Errors: block allocation failure 0 invalid interface 0 template send failure 0 no route to collector 0 source port allocation 0


HI Michael,

The 5525 is an ASA device and uses NetFlow security event log (NSEL), and this is not currently supported by the DC RUM flow collector. This is because the flow sets they use are created form syslog as opposed to the packet usage information, based on timer expiration, as we’d expect to see in standard NetFlow v9 and IPFIX, they use different templates, fields and records.

NSEL is also stateful looking for trigger event situations and because the ASA implementation of NSEL is a stateful, it only exports those records that indicate significant events in a flow. In stateful flow tracking, tracked flows go through a series of state changes. NSEL events are used to export data about flow status, and are triggered by the event that caused the state change, and not specifically traffic flow and usage data. The significant events that are tracked include flow-create, flow-teardown, and flow-denied (excluding those flows that are denied by EtherType ACLs).