Skip to main content

 

 

Cisco Defense Orchestrator

Troubleshooting NSEL Data Flows

Overview

Once you have configured Netflow Secure Event Logging (NSEL), use these procedures to verify that NSEL events are being sent from your ASA to the Cisco Cloud and that the Cisco Cloud is receiving them. 

Note that once your ASA is configured to send NSEL events to the Secure Event Connector (SEC) and then on to the Cisco Cloud, data does not flow immediately. It could take a few minutes for the first NSEL packets to arrive assuming there is NSEL-related traffic being generated on the ASA.

Note: This workflow shows you a straight-forward use of the "flow-export counters" command and "capture" commands to Troubleshoot NSEL Data Flows. See "Packet Captures" CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide and "Monitoring NSEL" in the Cisco ASA NetFlow Implementation Guide for a more detailed discussion of the usage of these commands. 

Perform these tasks:

  • Verify that NetFlow Packets are Being Sent to the SEC
  • Verify that NetFlow Packets are Being Received by the Cisco Cloud

Verify that NSEL Events are Being Sent to the SEC

Use one of two commands to verify that NSEL packets are being sent to the SEC:

  • flow-export counters
  • capture

Use the "flow-export counters" Command to Check for flow-export Packets Being Sent and for NSEL errors

Before you Begin

Procedure

Use the command line interface in CDO to send these commands to the ASAs that you have configured for NSEL.

  1. Select Devices & Services from the CDO menu bar on the left.
  2. Select the ASA you configured to send NSEL events to the SEC.
  3. In the Device Actions pane on the right, click Command Line Interface.
  4. Reset the flow export counters by running the clear flow-export counters command. This resets the clear export flow counters to zero so that you can easily tell if new events are coming in. 

example:

> clear flow-export counters

Done!

  1. Run the show flow-export counters command to see the destination of the NSEL packets, how many packets were sent and any errors:

example:

> show flow-export counters

destination: management 209.165.200.225 10425

Statistics:

packets sent 25000

Errors:

block allocation errors 0

invalid interface 0

template send failure 0

no route to collector 0

source port allocation 0

In the output above, the destination line shows the interface on the ASA from which NSEL events are sent, the IP address of the SEC, port 10425 of the SEC.  It also shows packets sent of 25000. 

If there are no errors and packets are being sent, skip to Verify that NetFlow Packets are Being Received by the Cisco Cloud below.

Error descriptions:

  • block allocation errors-If you receive a block allocation error, the ASA did not allocate memory to the flow-exporter.
    • Recovery action: Call Cisco Technical Assistance Center (TAC)
  • invalid interface-Indicates that you are trying to send NSEL events to the SEC but the interface you've defined for flow export isn't configured to do so.
    • Recovery action: Review the interface you chose when configuring NSEL. We recommend using the management interface, your interface may be different. 
  • template send failure-The template you had to define NSEL was not parsed correctly. 
  • no route to collector-Indicates there is no network route from the ASA to the SEC.
    • Recovery actions:
      • Make sure that the IP address you used for the SEC when you configured NSEL is correct.
      • Make sure the SEC's status is Active and it has sent a recent heartbeat. See Troubleshoot an On-Premise Secure Device Connector.
      • Make sure the Secure Device Connector's status is Active and it has sent a recent heartbeat.
  • source port allocation-May indicate that there is a bad port on your ASA.

Use the "capture" Command to Capture NSEL Packets Sent from the ASA to the SEC

Before you Begin

Procedure

Use the command line interface in CDO to send these commands to the ASAs that you have configured for NSEL.

  1. Select Devices & Services from the CDO menu bar on the left.
  2. Select the ASA you configured to send NSEL events to the SEC.
  3. In the Device Actions pane on the right, click Command Line Interface.
  4. In the command window, run this capture command:

> capture capture_name interface interface_name match udp any host IP_of_SEC eq NetFlow_port

Where 

  • capture_name is the name of the packet capture.
  • interface_name is the name of the interface from which NSEL packets leave the ASA.
  • IP_of_SEC is the IP address of the SEC VM.
  • NetFlow_port is the port to which NSEL events are sent.

This starts the packet capture.

  1. Run the show capture command to view the captured packets:

> show capture capture_name

Where capture_name is the name of the packet capture you defined in the previous step. 

Here is an example of the output showing the time of the capture, the IP address from which the packet was sent, the IP address, and the port the packet was sent to. In this example, 192.168.25.4 is the IP address of the SEC and port 10425 is the port on the SEC that receives NSEL events. 

6 packets captured

   1: 14:23:51.706308       192.168.0.169.16431 > 192.168.25.4.10425:  udp 476 
   2: 14:23:53.923017       192.168.0.169.16431 > 192.168.25.4.10425:  udp 248 
   3: 14:24:07.411904       192.168.0.169.16431 > 192.168.25.4.10425:  udp 1436 
   4: 14:24:07.411920       192.168.0.169.16431 > 192.168.25.4.10425:  udp 1276 
   5: 14:24:21.021208       192.168.0.169.16431 > 192.168.25.4.10425:  udp 112 
   6: 14:24:27.444755       192.168.0.169.16431 > 192.168.25.4.10425:  udp 196 

  1. Run the capture stop command to manually stop the packet capture:

> capture capture_name stop

Where capture_name is the name of the packet capture you defined in the previous step. 

Verify that NetFlow Packets are Being Received by the Cisco Cloud

Before you Begin

Verify that NSEL events are being sent from the ASA.

Procedures

Check for both live and historical events.

Check for Live NSEL Events

This procedure will filter for NSEL events that the Cisco Cloud has received within the last hour.

  1. In CDO, select Monitoring > Event Logging on the menu bar on the left.
  2. Click the Live tab.
  3. Pin-open the event filter.
  4. In the ASA Events section, make sure NetFlow is checked.
  5. In the Sensor ID field, enter the IP address of the ASA you configured to send NSEL events.
  6. At the bottom of the filter, make sure that "Include NetFlow Events" is checked.

Check for Historical NSEL Events

This procedure will filter for NSEL events that the Cisco Cloud has received within the time-frame you specify.

  1. In CDO, select Monitoring > Event Logging on the menu bar on the left.
  2. Click the Historical tab.
  3. Pin-open the event filter.
  4. In the ASA Events section, make sure NetFlow is checked.
  5. Set the Start time far enough back in time to check if CDO ever did receive NSEL events.
  6. In the Sensor ID field, enter the IP address of the ASA you configured to send NSEL events.
  7. At the bottom of the filter, make sure that "Include NetFlow Events" is checked.
  • Was this article helpful?