Hello, As far as I know the ASA's Netflow implementation only reports closed flows, you don't get a report for active flows at regular intervals like in IOS routers.
Please correct me if I'm wrong though. There may have been updates to the ASA Netflow implementation in later ASA versions? If there is another way to solve this, then I'm very interested to hear about it! Kind Regards Erik Jans CCNP R&S -----Original Message----- From: Tom Sutherland [mailto:tsut...@gmail.com] Sent: den 26 januari 2015 17:47 To: Borja Marcos Cc: nfsen-discuss@lists.sourceforge.net Subject: Re: [Nfsen-discuss] Traffic spikes when monitoring ASAs Thanks. What you're saying makes sense, but there's no obvious command to modify a flow-related lifetime on my ASA. The "delay flow-create" can be set from <1-180> seconds. The "active refresh-interval" can be set from <1-60> minutes. The default is apparently 1 minute. Here are all possible ASA config command that contain the word "flow": fw(config)# show parser dump configure | i flow 1 clear configure flow-export destination 1 clear configure flow-export 15 help flow-export 0 no access-list deny-flow-max <1-0> 0 no access-list deny-flow-max 0 no logging flow-export-syslogs enable 0 no logging flow-export-syslogs disable 0 no flow-export enable 0 no flow-export destination <dynamic> <address> <1-0> 0 no flow-export template timeout-rate <1-0> 0 no flow-export delay flow-create <1-0> 0 no flow-export active refresh-interval <1-0> 0 no sysopt connection preserve-vpn-flows 0 no sysopt connection preserve-vpn-flows minimum <0-0> 0 no sysopt connection preserve-vpn-flows 15 access-list deny-flow-max <1-0> 15 access-list deny-flow-max 15 logging flow-export-syslogs enable 15 logging flow-export-syslogs disable 15 flow-export enable 15 flow-export destination <dynamic> <address> <1-0> 15 flow-export template timeout-rate <1-0> 15 flow-export delay flow-create <1-0> 15 flow-export active refresh-interval <1-0> 15 sysopt connection preserve-vpn-flows 15 sysopt connection preserve-vpn-flows minimum <0-0> 15 sysopt connection preserve-vpn-flows On 01/26/2015 10:54 AM, Borja Marcos wrote: > On Jan 26, 2015, at 4:38 PM, Tom Sutherland wrote: > >> All seems to be well in general, but seeing very large traffic (bps) spikes that exceed the interface capacity. The spikes do not appear to be real traffic and exceed the physical capacity of the interfaces. > Check your flow lifetime configuration. It should be shorter than the nfsen processing interval, which is 5 minutes. Otherwise, a flow lasting for several intervals will be reported when it expires, and often all the data gets accounted as belonging to the last time slot. > > > > > Borja. > ---------------------------------------------------------------------------- -- Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Nfsen-discuss mailing list Nfsen-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfsen-discuss ------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Nfsen-discuss mailing list Nfsen-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
