Cisco Cisco ASA 5512-X Adaptive Security Appliance
17
Cisco ASA NetFlow Implementation Guide
About NSEL
Flow Update Records and Failover
An attempt to keep flow update records consistent before and after failover is made. After failover
occurs, all flow update records are based on the last update from the previously active ASA. This update
occurs every 15 seconds as long as traffic is flowing. Inaccuracies may appear in flow update records if
failover pairs are brought up at different times, or if failover occurs before the active ASA has a chance
to send a periodic update to the standby ASA.
occurs, all flow update records are based on the last update from the previously active ASA. This update
occurs every 15 seconds as long as traffic is flowing. Inaccuracies may appear in flow update records if
failover pairs are brought up at different times, or if failover occurs before the active ASA has a chance
to send a periodic update to the standby ASA.
Flow Update Events and Clustering
One major divergence occurs in how flow update events interact with failover and how they interact with
clustering. In clustering, before ownership change, the flow director has a stub flow copy of the original
flow, which would not have the active refresh timer set. Only after the original flow owner goes down
will a full flow copy be generated with the active refresh timer set. This means it is highly likely that a
noticeable time offset will occur between when the flow update timer goes off on the original flow owner
and when the flow update timer goes off on the new flow owner.
clustering. In clustering, before ownership change, the flow director has a stub flow copy of the original
flow, which would not have the active refresh timer set. Only after the original flow owner goes down
will a full flow copy be generated with the active refresh timer set. This means it is highly likely that a
noticeable time offset will occur between when the flow update timer goes off on the original flow owner
and when the flow update timer goes off on the new flow owner.
After flow ownership changes in a cluster, all flow-update records are based on the last update that the
flow director received. Flow information is updated every 15 seconds as long as there is traffic.
Maintenance of up-to-date flow information uses the same methods as those provided for failover.
flow director received. Flow information is updated every 15 seconds as long as there is traffic.
Maintenance of up-to-date flow information uses the same methods as those provided for failover.
NetFlow and Failover
NetFlow data records and templates are only sent from the active (primary) ASA in an active-standby
failover pair. The standby (secondary) ASA does not send any NetFlow-related information. However,
after failover, the secondary ASA starts to send templates and NetFlow records for any replicated or new
flows. The source IP address for each NetFlow collector connection is the same between the two ASAs,
but the source port varies. This means that the NetFlow collectors are capable of differentiating packets
sent from the primary unit and the secondary unit.
failover pair. The standby (secondary) ASA does not send any NetFlow-related information. However,
after failover, the secondary ASA starts to send templates and NetFlow records for any replicated or new
flows. The source IP address for each NetFlow collector connection is the same between the two ASAs,
but the source port varies. This means that the NetFlow collectors are capable of differentiating packets
sent from the primary unit and the secondary unit.
In an active-active failover pair, both ASAs may send NetFlow data records and templates
simultaneously. Only the active unit per context sends the NetFlow packets, but the standby unit does
not; much like in active-standby scenarios. The source IP address for each NetFlow collector connection
is the same for an ASA context and its copy, but the source port varies.
simultaneously. Only the active unit per context sends the NetFlow packets, but the standby unit does
not; much like in active-standby scenarios. The source IP address for each NetFlow collector connection
is the same for an ASA context and its copy, but the source port varies.
Each ASA node (context) in the failover pair establishes its own connection to the NetFlow collector(s)
and advertises its templates independently. The collector uses the source IP address and source port of
the packet to differentiate between the NetFlow exporters.
and advertises its templates independently. The collector uses the source IP address and source port of
the packet to differentiate between the NetFlow exporters.
NetFlow and Clustering
NetFlow is supported on both management and regular data interfaces; however, we recommend that you
use management interfaces. When the NetFlow collector connection is configured on management-only
interfaces, each ASA in the cluster uses its own per-unit source IP address and source port to send
NetFlow packets. NetFlow may be used with both data interfaces in layer 2 mode and layer 3 mode. For
data interfaces in layer 2 mode, each ASA in the cluster has the same source IP address, but the source
port is different. Although layer 2 mode is designed to make a cluster appear as a single device, a
NetFlow collector can differentiate between the different nodes in the cluster. For data interfaces in layer
3 mode, NetFlow operates the same way as management-only interfaces do.
use management interfaces. When the NetFlow collector connection is configured on management-only
interfaces, each ASA in the cluster uses its own per-unit source IP address and source port to send
NetFlow packets. NetFlow may be used with both data interfaces in layer 2 mode and layer 3 mode. For
data interfaces in layer 2 mode, each ASA in the cluster has the same source IP address, but the source
port is different. Although layer 2 mode is designed to make a cluster appear as a single device, a
NetFlow collector can differentiate between the different nodes in the cluster. For data interfaces in layer
3 mode, NetFlow operates the same way as management-only interfaces do.