Cisco Cisco ASA 5545-X Adaptive Security Appliance - No Payload Encryption
16
Cisco ASA NetFlow Implementation Guide
About NSEL
Templates for Flow Update Events
Flow update events indicate that a flow update timer has gone off for a flow or a flow was torn down.
This event functions as a periodic byte counter for flow traffic. Flow update events also use the same
templates as flow teardown events, excluding those for partial NAT translation. The
NF_F_FWD_FLOW_DELTA_BYTES and NF_F_REV_FLOW_DELTA_BYTES fields contain the byte
counts since the last timer interval. The NF_F_FW_EXT_EVENT field is not used and is ignored in flow
update records. See
This event functions as a periodic byte counter for flow traffic. Flow update events also use the same
templates as flow teardown events, excluding those for partial NAT translation. The
NF_F_FWD_FLOW_DELTA_BYTES and NF_F_REV_FLOW_DELTA_BYTES fields contain the byte
counts since the last timer interval. The NF_F_FW_EXT_EVENT field is not used and is ignored in flow
update records. See
for the templates that are used for flow teardown events.
Flow Update (at timer) and Flow Update (at teardown) Events
The ASA sets flow update timers for flows passing through it, and when the timers goes off, NSEL issues
flow update (at timer) records. If there is no activity on the flow for the configured time interval, no flow
update (at timer) records are sent for that interval. A flow update (at teardown) record is sent with a flow
teardown record to capture the traffic in the last time interval. No flow update (at teardown) record is
sent if there is no traffic on the flow for the last interval. In addition, no flow update (at teardown) record
is sent for short-lived flows (that is, if teardown occurs before the first flow update (at timer) event
occurs).
flow update (at timer) records. If there is no activity on the flow for the configured time interval, no flow
update (at timer) records are sent for that interval. A flow update (at teardown) record is sent with a flow
teardown record to capture the traffic in the last time interval. No flow update (at teardown) record is
sent if there is no traffic on the flow for the last interval. In addition, no flow update (at teardown) record
is sent for short-lived flows (that is, if teardown occurs before the first flow update (at timer) event
occurs).
The flow update timer is not set nor is it ever set again if at the time of flow creation, no flow update
collectors are configured or if during a flow update event, the flow update collectors are removed. Under
these conditions, no flow update (at timer) event or flow update (at teardown) event is seen again.
collectors are configured or if during a flow update event, the flow update collectors are removed. Under
these conditions, no flow update (at timer) event or flow update (at teardown) event is seen again.
IPv64 flow teardown
NF_F_CONN_ID, NF_F_SRC_ADDR_IPV6, NF_F_SRC_PORT,
NF_F_SRC_INTF_ID, NF_F_DST_ADDR_IPV6, NF_F_DST_PORT,
NF_F_DST_INTF_ID, NF_F_PROTOCOL, NF_F_ICMP_TYPE_IPV6,
NF_F_ICMP_CODE_IPV6, NF_F_XLATE_SRC_ADDR_IPV4,
NF_F_XLATE_DST_ADDR_IPV4, NF_F_XLATE_SRC_PORT,
NF_F_XLATE_DEST_PORT, NF_F_FW_EVENT,
NF_F_FW_EXT_EVENT, NF_F_EVENT_TIME_MSEC,
NF_F_FWD_FLOW_DELTA_BYTES,
NF_F_REV_FLOW_DELTA_BYTES,
NF_F_FLOW_CREATE_TIME_MSEC
NF_F_SRC_INTF_ID, NF_F_DST_ADDR_IPV6, NF_F_DST_PORT,
NF_F_DST_INTF_ID, NF_F_PROTOCOL, NF_F_ICMP_TYPE_IPV6,
NF_F_ICMP_CODE_IPV6, NF_F_XLATE_SRC_ADDR_IPV4,
NF_F_XLATE_DST_ADDR_IPV4, NF_F_XLATE_SRC_PORT,
NF_F_XLATE_DEST_PORT, NF_F_FW_EVENT,
NF_F_FW_EXT_EVENT, NF_F_EVENT_TIME_MSEC,
NF_F_FWD_FLOW_DELTA_BYTES,
NF_F_REV_FLOW_DELTA_BYTES,
NF_F_FLOW_CREATE_TIME_MSEC
IPv64 flow teardown, no
source translation
source translation
NF_F_CONN_ID, NF_F_SRC_ADDR_IPV6, NF_F_SRC_PORT,
NF_F_SRC_INTF_ID, NF_F_DST_ADDR_IPV6, NF_F_DST_PORT,
NF_F_DST_INTF_ID, NF_F_PROTOCOL, NF_F_ICMP_TYPE_IPV6,
NF_F_ICMP_CODE_IPV6, NF_F_XLATE_SRC_ADDR_IPV6,
NF_F_XLATE_DST_ADDR_IPV4, NF_F_XLATE_SRC_PORT,
NF_F_XLATE_DEST_PORT, NF_F_FW_EVENT,
NF_F_FW_EXT_EVENT, NF_F_EVENT_TIME_MSEC,
NF_F_FWD_FLOW_DELTA_BYTES,
NF_F_REV_FLOW_DELTA_BYTES,
NF_F_FLOW_CREATE_TIME_MSEC
NF_F_SRC_INTF_ID, NF_F_DST_ADDR_IPV6, NF_F_DST_PORT,
NF_F_DST_INTF_ID, NF_F_PROTOCOL, NF_F_ICMP_TYPE_IPV6,
NF_F_ICMP_CODE_IPV6, NF_F_XLATE_SRC_ADDR_IPV6,
NF_F_XLATE_DST_ADDR_IPV4, NF_F_XLATE_SRC_PORT,
NF_F_XLATE_DEST_PORT, NF_F_FW_EVENT,
NF_F_FW_EXT_EVENT, NF_F_EVENT_TIME_MSEC,
NF_F_FWD_FLOW_DELTA_BYTES,
NF_F_REV_FLOW_DELTA_BYTES,
NF_F_FLOW_CREATE_TIME_MSEC
Table 8
Templates for Flow Teardown Events (continued)
Description
Fields