DX Unified Infrastructure Management

  • Private Community
 View Only

  • 1.  [NFA] Anybody tips and tricks for Cisco ASA configuration?

    Posted Dec 03, 2014 11:33 AM

    Hello everybody,

     

    I would need some tips and tricks or maybe specific configuration settings that could help me monitor a Cisco ASA firewall with CA NFA.

     

    We do have the latest NFA version 9.2.1 and still we don't see any data in NFA. The router doesn't even appear in the "Enable Interfaces" list.

    We see flow data and also the Templates in Wireshark on the Harvester, but the reports are still empty.

     

    NFA: 9.2.1

    Firmware Cisco ASA: 9.1(5)12

    Template Timeout Rate: 1 minute

    Flow Update Interval: 1 minute

     

     

    Does anybody have experience with these ASA firewalls and could tell us the exact settings we have to make in the configuration of the ASA firewalls or in NFA?

    Any advice is very welcome.

     

    Thank you very much in advance.

     

    Best regards

    Kristian



  • 2.  Re: [NFA] Anybody tips and tricks for Cisco ASA configuration?

    Posted Dec 03, 2014 11:56 AM

    Have you looked at How To Enable NetFlow? Search for ASA on the page and you should find some config instructions.

     

    If you eventually find out that it's missing something or out of date, PLEASE, PLEASE update it. That document is community maintained without much help from CA, but it's one of the most useful compendiums we have.



  • 3.  Re: [NFA] Anybody tips and tricks for Cisco ASA configuration?

    Posted Dec 05, 2014 05:13 AM

    Hi Stuart,

     

    Thank you very much for your quick reply. I wasn't aware that the community has such an interesting document, so thank you very much for sharing it. I think this document is a very good idea and I hope it will be kept up to date for a long time by many users.

    Following the advises from that document it seems we set up every correctly. Everything was set exactly like in the documentation. Only the timing settings were slightly different, but even after changing the timing settings to the values from the document there were no Flow Data in the reports.

     

    By the way it is an ASA 5520 from Cisco.

     

    So we are running out of ideas. Is there something else we can test or try?

     

    Thanks so far and kind regards

    Kristian



  • 4.  Re: [NFA] Anybody tips and tricks for Cisco ASA configuration?

    Broadcom Employee
    Posted Dec 08, 2014 10:09 AM

    Is the device showing up in Admin->Enable interfaces at all?

     

    Is it enabled and/or licensed?

     

    If its showing up in enable interfaces you can try deleting it from there.

     

    Also on the Harvester you can try deleting the device from the Harvester database:

     

    mysql -P 3308 harvester

     

    delete from routers where router=inet_aton('x.x.x.x');

     

    delete from interfaces where router=inet_aton('x.x.x.x');

     

    Then recycle the Harvester service and check to see if the device shows up in the Enable interfaces screen after about 15-30 minutes.



  • 5.  Re: [NFA] Anybody tips and tricks for Cisco ASA configuration?

    Posted Dec 08, 2014 11:16 AM

    Hi Christopher,

     

    > Is the device showing up in Admin->Enable interfaces at all?

    No, unfortunately not.

    I forgot to mention that in the initial description, but added that information now.

     

    We also tried deleting the router from the Harvester's database without success. However as this was a while ago, I'm not sure anymore if we also recycled the Harvester service. We will try that again.

     

    Thank you so far for your ideas.

     

    -------------------------

     

    Does somebody have general tips for the configuration of the ASA firewall and can provide some settings that worked for him?

     

    Kind regards

    Kristian