Cisco Cisco ASA for Nexus 1000V Series Switch
7
Cisco ASA NetFlow Implementation Guide
About NSEL
Event Time Field
Each NSEL data record has the event time field (NF_F_EVENT_TIME_MSEC), which is the time that
the event occurred in milliseconds. The NetFlow packet may consist of multiple events; however, the
time that the packet is sent does not represent the time that the event occurred, because the NetFlow
service waits for multiple events to pack the NetFlow packet.
the event occurred in milliseconds. The NetFlow packet may consist of multiple events; however, the
time that the packet is sent does not represent the time that the event occurred, because the NetFlow
service waits for multiple events to pack the NetFlow packet.
Note
Different events in the life of a flow may be issued in separate NetFlow packets and may arrive
out-of-order at the collector. For example, the packet containing a flow teardown event may reach the
collector before the packet containing a flow creation event. As a result, it is important that collector
applications use the Event Time field to correlate events.
out-of-order at the collector. For example, the packet containing a flow teardown event may reach the
collector before the packet containing a flow creation event. As a result, it is important that collector
applications use the Event Time field to correlate events.
Data Records and Templates
Templates describe the format of data records that are exported through NetFlow. Each flow event has
several record formats or templates associated with it:
several record formats or templates associated with it:
•
There are different templates for different events.
•
There are different templates for IPv4 and IPv6 flows under each event type.
•
There are different templates for IPV44, IPV46, IPV64, and IPV66 flows under each event type.
•
The flow creation event has different templates, which are based on the size of the username field
associated with the flow. Different templates are required because the size of string fields is fixed in
NetFlow. Having a single template with the largest possible size for string results is a waste of
bandwidth, because most strings are far shorter than the maximum value. Two types of username
fields are defined, which result in two types of templates in each category.
associated with the flow. Different templates are required because the size of string fields is fixed in
NetFlow. Having a single template with the largest possible size for string results is a waste of
bandwidth, because most strings are far shorter than the maximum value. Two types of username
fields are defined, which result in two types of templates in each category.
–
A common username size for usernames that are less than 20 characters
–
A maximum username size for usernames that are up to a maximum of 65 characters
–
Each template has the Event Type and Extended Event Type fields, which can interpret or act
on the event.
on the event.
•
The flow denied and flow deletion events have IPV46 and IPV64 templates in which the destination
IP address has been translated by a NAT rule, but the source IP address has not been translated by a
NAT rule; this results in different IP versions between the source and destination IP addresses. The
IP address has been translated by a NAT rule, but the source IP address has not been translated by a
NAT rule; this results in different IP versions between the source and destination IP addresses. The
1003
Flow denied
Possible reasons include the following:
•
An attempt to connect to the ASA interface was denied.
•
The ICMP packet to the device was denied.
•
The ICMPv6 packet to the device was denied.
1004
Flow denied
The first packet on the TCP was not a TCP SYN packet.
> 2000
Flow deleted
Values above 2000 represent various reasons why a flow was
terminated.
terminated.
Table 4
Values for Extended Event IDs (continued)
Extended Event ID
Event
Description