Troubleshooting Netflow on a Cisco ASA Firewall

If you have configured a Cisco ASA firewall to send Netflow data to Intermapper Flows, but

• No data appears in the table or the graph.
• The firewall is listed as an exporter in the Flows Settings window.
• There is a value for total v9 flows.
• A tcpdump shows packets are arriving on UDP port 2055 on the Flows server.

This is a known problem with the Cisco ASA firewall. It appears that the ASA actually cannot do Netflow v9, and Netflow v5 is not an option with this firewall.

NetFlow Secure Event Logging (NSEL) sends a flow record when a flow begins (flow-create), when a flow is denied (flow-denied), and when the flow has ended (flow-teardown). There are no intermediate flow records to show the progress of a transfer.

Consequently, the NetFlow information will not be useful for long-duration flows, as there will be a huge spike in traffic shown at the end, with no traffic in the middle.

Note: Using a software exporter and a managed switch as a network tap could offer a solution. (see other FAQs)