Cisco ASA Firewall Device not showing Netflow data in NFA

Document ID : KB000029462
Last Modified Date : 14/02/2018
Show Technical Document Details

Problem:

There is a known issue with Cisco ASA Firewall devices with an IOS version of 8.4.5 and newer where NetFlow data will not be displayed.

 

This is caused by a change in the way Cisco sends NetFlow data from newer ASA Firewall devices.

 

They specifically have converted the "Octects" field into two new fields:

231 - FW_INITIATOR_OCTETS

232 - FW_RESPONDER_OCTETS

 

These fields were meant to give direction to the NetFlow data, however RA/NFA did not recognize these as valid Netflow fields and discards the data.

 

In the link below, we document the required fields needed in order to properly display NetFlow data in RA/NFA and how to verify that data:

https://communities.ca.com/web/ca-ehealth-and-ca-spectrum-global-user-community/message-board/-/message_boards/message/101607826?&#p_19

 

If you follow the steps from the doc above to run and decode the NetFlow from an ASA firewall you will see that there is no field called just "Octects" which is the reason why data is discarded.

 

Solution:

Support for ASA firewall devices has been added with the introduction of NFA 9.2.1 Released on October 17th, 2014.

 

We now support the two new NetFlow fields used by ASA Firewall Devices:

231 - FW_INITIATOR_OCTETS

232 - FW_RESPONDER_OCTETS

 

If you have ASA devices you wish to monitor please upgrade to 9.2.1, if you are still on 9.1.3 or earlier you should stop sending NetFlow from any ASA device until you upgrade to 9.2.1 as it can cause data loss for other interfaces.

 

More details can be found in the official 9.2.1 Release Announcement here here CA Network Flow Analysis r9.2.1 General Availability

 

As well as in the link to the 9.2.1 Bookshelf can be found here.

 

For information on the migration path to 9.2.1, click here.