ASA 8.2(5) enable Netflow

Hi,
Running ASA 8.2.(5) with ASDM 6.4(5).
When I try to enable netflow on my <default inspection traffic> policy which is global I get a message saying "only inspect rule actions can be specified for the default inspection traffic". As Netflow can only be applied as a global service policy, I have to use netflow on a global policy, but how do I use my traffic inspection policy then?
Create multiple service policies I apply to each interface or?
According to https://supportforums.cisco.com/docs/DOC-6114 it looks as I can have both at the same time or in the same Global policy ?
Regards
Robert

hmm I seem I can´t create a new class-map with ASDM? I have no option to do that.
Looking at:
https://supportforums.cisco.com/docs/DOC-6113
It says:
Most users will have a global inspection policy so we can just leverage that. It should be noted that we can't use class-default here because we won't generate NetFlow data for anything that is subject to inspection.
Is that not what my original message basicly is saying from ASDM?
Robert

Similar Messages

Enabling netflow on a 2504 controller

I just completed setting up a AIR-CT2504-K9 controller with 9 APs with RADIUS on the private WLAN and an open guest WLAN; I want to enable netflow exports to a collector, but see no place in the GUI to do this and no obvious CLI commands.
Could someone please point me in the right direction?
Thanks,
M

Is this what you are looking for?
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"

Enabling Netflow on Production 6500 Core switch

Hi All,
I am looking for a little expert advise regarding Cisco Netflow. For monitoring I need to enable Netflow feature on 6500 core switch or 6500 load balancer with CSM module installed, but I am just concern about the CPU hits on the devices. we are not using any dynamic routing protocols. Can someone please advise how will it effect on the local resources when using Netflow? Is it fine if I enable this feature on these devices in production?
Thanks in advance,

Hi Mudassar,
Enabling netflow will not have a major impact on CPU or memory but you will want to keep a close eye on the switches TCAM utilisation. Features like netflow, TCP intercept and WCCP can use resources from “NetFlow TCAM Table”.
Use the "show mls netflow table-contention detailed" command to monitor TCAM utilisation.
Regards
Brett

Enable NetFlow ASA 8.0(5)

HI team
Let me know if the netflow could be enable in the version
Appliance Software Version 8.0(5). (ASA 5550).
Review the document of Cisco mention that this functionality is available in the version 8.1 or supperior.
http://www.cisco.com/en/US/products/ps6120/products_installation_and_configuration_guides_list.html#anchor5
But I need to be sure, please.
I hope your comment/suggestion

No, it is not supported on ASA 8.0(5).
ASA software version 8.1(1) introduced Netflow support for the ASA appliances. The release notes (and approriate section of the command reference) note this explicitly.

Can MPLS aware Netflow ver. 9 be enabled on the catalyst switches 6500

HI, I'm working for KOREA TELECOM, and currently providing MPLS VPN.
We're planning to provide our customer with traffic report using NetFlow..
I read some documents which reads Netflow ver.9 can be enabled on Cisco GSR 12000 Series, but no mention about catalyst switches. So, I ' m curious about that Netflow ver 9 can be activated on catalyst 6500 series.. because the point where switch is located already have mpls encapsulated packet ( mpls vpn packet).
Thank you , in advance.

NetFlow is now integral to Cisco 6500. A configuration we recommend is as below:
mls netflow // This enables NetFlow on the Supervisor.
mls nde sender version 7
mls aging long 64 // This breaks up long-lived flows into (roughly) one-minute segments.
mls aging normal 32 // This ensures that flows that have finished are exported in a timely manner.
mls flow ip interface-full
mls nde interface
The next two commands will help to enable NetFlow data export for bridged traffic which is optional. You can specify the list of VLANs here to enable bridged traffic.
ip flow ingress layer2-switched vlan
ip flow export layer2-switched vlan
Apart from this, NetFlow has to be enabled on the MSFC using the below commands.
ip flow egress // This command has to be executed on all the L3/VLAN interfaces.
ip flow-export destination {hostname|ip_address} 9996 // The hostname or IP address of the flow server
ip flow-export source {interface} // The interface through which NetFlow packets are exported. eg: Loopback0
ip flow-export version 9
ip flow-cache timeout active 1
snmp-server ifindex persist
The new Cisco Flexible NetFlow actually allows for export of MPLS specific information (I believe it is stack lables) in addition to information on IP Address, port, etc. But you will need a tool that can support these additional fields. Otherwise you can view IP, port, protocol, etc related information from MPLS links.
Regards,
Don Thomas Jacob
ManageEngine NetFlow Analyzer

Cisco Prime Infrastructure 2.0 and ASA 55xx platform problem

Hello,
We recently upgraded to Prime Infrastructure 2.0 with the hope being able to manage our ASA's from PRIME (and complete an LMS migration).
When I attempt to add ASA's to prime i get the following collection errors:
Unable to collect processor and RAM information.          Processor and RAM information.          Unexpected error. See the log file inventory.log for details.
In the logfile I get the following XML parsing error on the MIB:
<palError>
<deviceId>6284310032</deviceId>
<code>VALIDATION_ERROR</code>
<message>Failed to validate output XML: cvc-maxInclusive-valid: Value '3484331296' is not facet-valid with respect to maxInclusive '2147483647' for type 'int'.</message>
<result>
    <result xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="/CISCO-MEMORY-POOL-MIB/xmp-im-file-system-module.xsd">
      <xmp-im-file-system-module>
        <MemoryPoolStatistics>
          <memoryPoolIndex>1</memoryPoolIndex>
          <free>4294967295</free>
          <largestFree>4294967295</largestFree>
          <used>3484331296</used>
        </MemoryPoolStatistics>
To me it seems that the ASA returns a value that is bigger then int32 and thus causes an overflow? Any clues? Workarounds to add an ASA to Prime without checking these MIB'S?
Regards,
Marcel

Hi,
does anyone happen to know if that problem is fixed? My currently setup looks like this:
1. Cisco Prime Infrastructure 2.1 with updated device pack.
2. Assurance license
3. ASA5510 which has enabled netflow. Netflow is being sent to Cisco Prime 2.1
I do receive netflow raw data within Cisco Prime 2.1 but any graphical display of netflow data is not working. Does anybody has an idea where the problem is? Could it be that the graphical data is only displayed when sending netflow 1, netflow 5 or netflow 7?
regards
Maurus

ASA 5505 VPN HELP!!!

I have two ASA 5505's. One is currently setup as my firewall connected to the Cox Cable modem and wireless AP. I have another ASA that I would like to use, I have an idea that I could set that one up as a VPN unit, but not sure how I could do that. If that is not an option, can you provide the command line instructions on how to setup the VPN via the console cable. I am kinda new and I am slowing trying to become more knowledgeable about this. Any help would be greatly appreciated.
Thanks,
Jon
My current Config:
ASA Version 8.2(3)wn coldstart' comm
!d
hostname Wood-ASA1-if
%ASA-5-111008:
domain-name lv.cox.net the 'inspect ip-optio
enable password 8Ry2YjIyt7RRXU24 encrypted8cb69fe 20cfb60adisk0:/asa823.bin
passwd 2KFQnbNIdI.2KYOU encrypteded the 'service-policy global_pol
namesobal'
!a
interface Ethernet0/0in        ^
switchport access vlan 2%ASA-5-
command.ser 'Con
!S
interface Ethernet0/1ig' executed the 'pro
!t
interface Ethernet0/2mand.tics access-lirv
interface Ethernet0/3 securi
rd DfltAccess
!l
interface Etherne
interface Vlan1ecuted the 'pro
nameif inside' command.omma
security-level 100
%ASA-5-111008: Use
ip address 192.168.1.1 255.255.255.01008: User 'Config' executed the 'no
!t
interface Vlan2 the '
%ASA-5-1
nameif outsidefig' executed t
security-level 0-5-111008: User '
ip address dhcp setrouteination address http http
boot system disk0:/asa823-k8.bing' executed the 'class-map inspe
boot config disk0:/asa823.binom/its/service/oddce/services
ftp mode passivemand. User 'Conf
dns server-group DefaultDNS User 'Config' execut
%ASA-
domain-name lv.cox.netexecuted the 'destinati
object-group icmp-type ICMP-INBOUNDation linkup linkdown coldstart' co
description Permit necessary inbound ICMP trafficand.'policy-map type
%ASA-5-111008: User 'Config'
icmp-object echo-replyon transport-method htt
icmp-object unreachable
s_map' command.t
icmp-object t
%ASA-
logging buffered warningsecuted the 'subscribe-to-
logging asdm notificationsxecuted t
%ASA-5-111008: U
mtu inside 1500cuted the 'poli
mtu outside 1500ct
riodic month
icmp unreachable rate-limit 1 burst-size 1-111008: User 'Config' executed the 'subsc
asdm image disk0:/asdm-625.bino5-111008: User 'Config' execu
no asdm history enablemmand.outside' command
arp timeout 14400monthly' command.
nat-control
%ASA-5-111
global (outside) 1 interfacenfig' executed the 'subscrib
nat (inside) 1 0.0.0.0 0.0.0.0andasa# threat-detec
d.n
%ASA
access-group INBOUND in interface outside08: Us
riodic daily' command.e
timeout xlate 3:
aaa authentication ssh console LOCALe Ethernet0/5, changed state to admi
http server enableas
%ASA-5-111008:
http 192.168.1.0 255.255.255.0 inside' executed the
%ASA-4-411003: Interfa
no snmp-server locationstate to administra con
no snmp-server contact
telnet timeout 5# nat-contr
%ASA
ssh 0.0.0.0 0.0.0.0 insideec
%ASA-4-411001: Line pro
ssh 0.0.0.0 0.0.0.0 outside/3, changed state to upomma
ssh timeout 5SA-5-111
%ASA
console timeout 0onfig' executed t
dhcpd dns 8.8.8.8 8.8.4.4ne protocol on Interface
dhcpd auto_config outside to ups_map' com
%ASA-5-1
!0
dhcpd address 192.168.1.2-192.168.1.33 insideommand
enableR: % I
Password:SA-5-1110
Wood-A
dhcpd dns 8.8.8.8 8.8.4.4 interface inside: Uname: enable_15 From: 1 To:pect netbios
dhcpd enable insidescoas
%ASA-5-111008
!U
threat-detection basic-threat%ASA-5-111008: User 'enable_1
threat-detection statistics acce
.0.0.0 0.0.0.
parametersprompt host
message-length maximum client auto1008: User 'enable_15' executed the
message-length maximum 512A-5-111008: User 'Config' ex
policy-map type inspect dns prsent_dns_map 0/0' command. executed the 'inspe
no shut
parametersA-5
Wood-AS
message-length maximum 512 Interface Ethernet0/0, chan
policy-map global_policyg' executed the 'inspect
class inspection_defaultA-5-111008: User 'Con
ini
inspect dns preset_dns_map
%ASA-5-111008: User 'enable
inspect ftpthe 'no shutd
inspect h323 h225111008: User 'Confi
inspect h323 rasstination address
inspect rsh1001: Line pr
inspect ip-options
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DD
CEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:c3a35118ab34143a5e73e414ead343c1

for sure you can do this with the ASA , see the following configuration example :
http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_example09186a0080950890.shtml
cheers.

Cisco ASA 5505 Configurations. Help... Beyond Frustrated

Hello All,
I'm fairly new to Cisco products and Network management in general. At my place of employment, I was hired as an IT Tech- Repair and Building computers, most aspects of Physical networking, and software refresh/upgrades as well as solving compatibility issues among a plethora of other things. I've configured APs, a couple Catalyst switches, a router or two, and that is about the breadth of my Cisco knowledge. I was kind of thrown into a project which is to update the current inventory of computers which all run Windows XP Professional. We are making a capital purchase of 20 Laptops and 40 Desktops all of which will run Windows 7. This means the outdated PIX they were using is now useless. I purchased a Cisco ASA 5505 (Version 8.2(1)) because it is compatible with Windows XP and Windows 7. I have spent several days and sleepless nights trying to figure out how to configure this thing. I was hoping to use SSL for the VPN. I did some basic configurations just to get started but like I said, I have no real experience with Adaptive Security Appliances and I am so frustrated right now. I tried using the Wizard to no avail. I did a write erase using CLI and tried to configure that way but I'm doing something wrong as far as I can tell. The configurations were mostly pulled from here, the Cisco Community, and a couple other web sites.
I’m connecting the ASA 5505 to a cable modem (gateway 24.39.245.33) and to our Netvanta for VPN purposes. Here are the commands/what I have configured so far:
hostname AMDASA
domain-name asa.(mydomain).com
enable password (encrypted)
passwd (encrypted)
interface Ethernet0/0
description TWCoutside
switchport access vlan 2
no shutdown
write mem
exit
interface Ethernet0/1
description Port1inside
switchport access vlan 1
no shutdown
write mem
exit
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.250 255.255.255.0
write mem
exit
interface Vlan2
nameif outside
security-level 0
ip address 24.39.245.36 255.255.255.240
write mem
exit
object-group icmp-type DefaultICMP
description Default ICMP Types permitted
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
write mem
exit
ftp mode passive
write mem
clock timezone EST -5
clock summer-time EDT recurring
write mem
exit
dns server-group DefaultDNS
domain-name asa.adcmotors.com
write mem
exit
access-list acl_outside extended permit icmp any any object-group DefaultICMP
access-group acl_outside in interface outside
access-list acl_inside extended permit icmp any any object-group DefaultICMP
access-group acl_inside in interface inside
write mem
exit
write mem
That is the extent of the configurations I made via CLI. I don't know how to set the DNS lookup from a static port and I have no idea what else I'm supposed to do after the above configurations I have done. Is there a place to actually obtain ALL of the configurations needed to VPN in? Is there an easier way to make this thing work? I've seriously grown a patch of gray hair because of this device. Please help me if you can!!!!!!

Hi our desperate friend .
First I would suggest to use the Cisco VPN client instead of SSL VPN (AnyConnect). The configuration is a bit simpler and for the SSL VPN you would need to install the client on the ASA and purchase additional license if you plan to have more than 2 clients. The VPN Client usually comes with the ASA. If you dont have it or dont have access to download it from cisco.com go to the person from which you purchased your ASA and ask him how to get it.
That said, I also think that your ASA lacks of some basic configuration as of now. If you are planning to use this in replacement for your current PIX. You would need to configure a default route and some basic NAT:
route outside 0.0.0.0 0.0.0.0 24.39.245.33
global (outside) 1 interface
nat (inside) 1 192.168.0.0 255.255.255.0
Now regarding the VPN Client configuration you would need to something like this:
Create an isakmp policy:
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
Create a couple of ACLs that we will use later:
access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list split_tun standard permit 192.168.0.0 255.255.255.0
Create a Pool for the VPN Clients to use:
ip local pool TestPool 192.168.100.1-192.168.100.20 mask 255.255.255.0
Create a Group Policy:
group-policy TEST internal
group-policy TEST attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tun
Create a group:
tunnel-group TEST type ipsec-ra
tunnel-group TEST general-attributes
address-pool TestPool
authentication-server-group ABTVPN
default-group-policy TEST
tunnel-group TEST ipsec-attributes
pre-shared-key cisco123
Create crypto map and do a NAT 0:
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map Outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto map Outside_map 10 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface outside
nat (inside) 0 access-l nonat
Finally create a user that you will use to connect:
username test password test123
Then you would need to configure your VPN Client to connect with the ASA.
Here is a config Example of VPN clients to the ASA. It uses an external server for the authentication but just skip those parts. For the initial config you might want to keep the authentication local.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806de37e.shtml
I hope this helps. Feel free to ask if you have any questions. Also it would very usefull if you could upload the current config (show run) of the ASA in case you need to ask something else.
Have fun.
Raga

Cisco ASA 5512 two interfaces

i have an Cisco ASA 5512 working as Firewall
We configure one ASA interface connecting to Cisco router 1700 with leasd line internet service without any problem.
Now we have an extra internet connection ADSL 2MB connected to another ASA interface
I configure the ASA like this :
1-    Enable interface 2 on ASA and connect it to ADSL router (interface ip 192.168.1.100 from the same ADSL router {192.168.1.1}range )
2-    Create Access rule say source (My computer ip) destination ADSL network range action accept
3-    Create Nat Rule say source interface inside source ip (my ip) destination interface ADSL ip 192.168.1.100 destination source router ip 192.168.1.1
4-    Add static route say ADSL interface source ip my ip gateway ADSL router
This steps what I do but it doesn't work.
Thanks in advance

FYI for internet access I doubt this will work because if you configure two default route then ASA won't distribute traffic across two interface, first default route will be the one where ASA will send traffic. However from your description it is not very clear which IP address you are trying to ping and how exactly rules you have configured.
Either attach your config or paste the relevant config in post.

Port Forwarding for Cisco ASA 5505 VPN

This is the Network
Linksys E2500 ---> Cisco ASA 5505 ---> Server
I beleive I need to forward some ports to the asa to use the IPsec VPN I just setup. I had the SSL VPN working but only needed to forward 443 for that....I assume that IPsec tunnel is a specific port.
Thank You

For IPSec VPN, you need to port forward UDP/500 and UDP/4500, and remember to enable NAT-T on the ASA.
Command to enable NAT-T on ASA:
crypto isakmp nat-traversal 30

Flexible Netflow (v.9) question on 3850 ipservices doesn't seem to register

Greetings all - I am trying to enable netflow on a new 3850-24 with ipservices. I am leveraging LiveAction and have raised a ticket with them to help me through the issue, but more generally I'm confused about the lack of features I'm seeing. Per the 3850 guide here (http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/flexible_netflow/configuration_guide/b_fnf_3se_3850_cg/b_fnf_3se_3850_cg_chapter_010.html) it is stated that you will have the option of turning on inbound and outbound directions on 3850's with ipbase and ipservices.
We are running ip services:
Slot# License name Type Count Period left
1 ipservices permanent N/A Lifetime
However, we get the following error when trying to turn on flow inbound and outbound on the interfaces - whether they are svi (layer3) or interface (layer2)
-----------------Layer2: ----------------------------------------------
(config)#interface GigabitEthernet1/0/24
switch(config-if)#ip flow monitor LIVEACTION-FLOWMONITOR input
switch(config-if)#ip flow monitor LIVEACTION-FLOWMONITOR output
% Flow Monitor: Flow Monitor 'LIVEACTION-FLOWMONITOR'
Unsupported match field "interface input" for ipv4 traffic in output direction
Unsupported collect field "interface output" for ipv4 traffic in output direction
---------------- Layer3 ---------------------------------------------
switch(config)#interface Vlan190
switch(config-if)#ip flow monitor LIVEACTION-FLOWMONITOR input
% Flow Monitor: Flow Monitor 'LIVEACTION-FLOWMONITOR' flexible netflow not supported on vlan interfaces
switch(config-if)#ip flow monitor LIVEACTION-FLOWMONITOR output
% Flow Monitor: Flow Monitor 'LIVEACTION-FLOWMONITOR' flexible netflow not supported on vlan interfaces
------------------------------------ untruncated output ------------------------------
switch(config-flow-record)#collect counter bytes
% Incomplete command.
switch(config-flow-record)#collect counter packets
% Incomplete command.
switch(config-flow-record)#collect flow sampler
^
% Invalid input detected at '^' marker.
switch(config-flow-record)#collect interface output
switch(config-flow-record)#collect ipv4 destination mask
^
% Invalid input detected at '^' marker.
switch(config-flow-record)#collect ipv4 dscp
^
% Invalid input detected at '^' marker.
switch(config-flow-record)#collect ipv4 id
^
% Invalid input detected at '^' marker.
switch(config-flow-record)#collect ipv4 source mask
^
% Invalid input detected at '^' marker.
switch(config-flow-record)#collect ipv4 source prefix
^
% Invalid input detected at '^' marker.
switch(config-flow-record)#collect routing destination as
^
% Invalid input detected at '^' marker.
switch(config-flow-record)#collect routing next-hop address ipv4
^
% Invalid input detected at '^' marker.
switch(config-flow-record)#collect routing source as
^
% Invalid input detected at '^' marker.
switch(config-flow-record)#collect timestamp sys-uptime first
^
% Invalid input detected at '^' marker.
switch(config-flow-record)#collect timestamp sys-uptime last
^
% Invalid input detected at '^' marker.
switch(config-flow-record)#collect transport tcp flags
switch(config-flow-record)#exit
switch(config)#flow monitor LIVEACTION-FLOWMONITOR
switch(config-flow-monitor)#$ DO NOT MODIFY. USED BY LIVEACTION.
switch(config-flow-monitor)#exporter LIVEACTION-FLOWEXPORTER
switch(config-flow-monitor)#cache timeout inactive 10
switch(config-flow-monitor)#cache timeout active 60
switch(config-flow-monitor)#record LIVEACTION-FLOWRECORD
switch(config-flow-monitor)#exit
switch(config)#interface Vlan197
switch(config-if)#ip flow monitor LIVEACTION-FLOWMONITOR input
% Flow Monitor: Flow Monitor 'LIVEACTION-FLOWMONITOR' flexible netflow not supported on vlan interfaces
switch(config-if)#ip flow monitor LIVEACTION-FLOWMONITOR output
% Flow Monitor: Flow Monitor 'LIVEACTION-FLOWMONITOR' flexible netflow not supported on vlan interfaces
switch(config-if)#exit
switch(config)#interface Vlan190
switch(config-if)#ip flow monitor LIVEACTION-FLOWMONITOR input
% Flow Monitor: Flow Monitor 'LIVEACTION-FLOWMONITOR' flexible netflow not supported on vlan interfaces
switch(config-if)#ip flow monitor LIVEACTION-FLOWMONITOR output
% Flow Monitor: Flow Monitor 'LIVEACTION-FLOWMONITOR' flexible netflow not supported on vlan interfaces
-------------------- config it's trying to apply----------------------------
config t
ip cef
snmp-server ifindex persist
flow exporter LIVEACTION-FLOWEXPORTER
description DO NOT MODIFY. USED BY LIVEACTION.
destination <removed private IP address to liveaction server>
source Loopback0
transport udp 2055
template data timeout 600
option interface-table
exit
flow record LIVEACTION-FLOWRECORD
description DO NOT MODIFY. USED BY LIVEACTION.
match flow direction
match interface input
match ipv4 destination address
match ipv4 protocol
match ipv4 source address
match ipv4 tos
match transport destination-port
match transport source-port
collect counter bytes
collect counter packets
collect flow sampler
collect interface output
collect ipv4 destination mask
collect ipv4 dscp
collect ipv4 id
collect ipv4 source mask
collect ipv4 source prefix
collect routing destination as
collect routing next-hop address ipv4
collect routing source as
collect timestamp sys-uptime first
collect timestamp sys-uptime last
collect transport tcp flags
exit
flow monitor LIVEACTION-FLOWMONITOR
description DO NOT MODIFY. USED BY LIVEACTION.
exporter LIVEACTION-FLOWEXPORTER
cache timeout inactive 10
cache timeout active 60
record LIVEACTION-FLOWRECORD
exit
interface Vlan197
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR output
exit
interface Vlan190
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR output
exit
interface GigabitEthernet1/0/13
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR output
exit
interface GigabitEthernet1/0/18
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR output
exit
interface GigabitEthernet1/0/4
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR output
exit
interface GigabitEthernet1/0/3
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR output
exit
interface GigabitEthernet1/0/6
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR output
exit
interface GigabitEthernet1/0/5
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR output
exit
interface GigabitEthernet1/0/23
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR output
exit
interface GigabitEthernet1/0/24
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR output

Welcome to the Arch forums. That was an amazing first post. It is refreshing to see a new forum member actually post with as much detail as possible in order to explain the situation. Too often we get people saying things like "I can't get to the internet... why?" as the extent of their post. So thanks.
So I am curious about what the dhcpcd is trying to do. It seems to be trying to soliciting for a ipv6 address, but mentions nothing about in ipv4 address. It is not unfortunately not entirely uncommon for dhcpcd to time out waiting for an ipv6 address that never comes. So are you using ipv6? Do you expect an ipv6 address? I noticed that when you tried to ping the google DNS server, you used their ipv4 address (8.8.8.8). So I am thinking that means you are actually using ipv4.
I wonder if you might be able to poll for just an ipv4 address with dhcpcd. Just run it with -4 and it should disable the ipv6 stuff. You might also want to try dhclient and see what kind of output it gives you. If you are definitely not using ipv6, and it is not offered in your area, you might want to disable it. There are instructions in the wiki on how to do this... but you might want to wait until you establish the issue before doing things like that.

When ip cef is enable timeouts occur

First i want to enable netflow on our routers, and in order to do that i need to enable IP CEF. but when i enable cef all of the point to point vpn sites connected to the router, they stay connected but the terminals that connect to our citrix farm will not connect they from what i can tell timeout on the connection. disabling cef they can connect. enabling cef they can't connect,
This is really odd behavoir since we can still remote access the site but the terminals just can't connect when ip cef is enabled.
I attached the config of the router, i removed the tunnels and other various things that is not relivant(i believe)

Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
I'm not 100% certain, but I believe FastSwitching and CEF switching apply to unicast, not multicast. Your "IP mroute-cache" command enables/disables fast multicast switching.
On a 3750, switching should be hardware based, for unicast and multicast, unless TCAM resources are insufficient. If hardware switching falls back to non-hardware switching, you'll likely find process vs. Fast vs. CEF vs. multicast doesn't matter, all too slow.

6506 NetFlow

Hi,
I'm trying to capture an ingress traffic on SVI interface of my Cisco 6506 (WS-C6506-E).
I've enabled NetFlow on the Multilayer Switch Feature Card (MSFC):
ip flow-export source Vlan254ip flow-export version 5ip flow-export destination 172.23.100.21 2055
Enabled NetFlow and NetFlow Data Export (NDE) on the Policy Feature Card (PFC):
ip flow ingress layer2-switched vlan 130mls netflow interfacemls flow ip interface-destinationmls nde sender version 5mls aging fast threshold 127mls aging long 1000mls sampling time-based 512mls cef error action resetmls netflow sampling
and on the monitorable interface:
interface Vlan130 ip address 172.23.170.2 255.255.255.0 ip flow ingress mls netflow sampling standby 1 ip + timers + priority + preempt + authentication
Now I'm trying to see capruted flows. The point is I can't see flow's source address, source and destination port, and L4 protocol for unicast flows:
Cat6506-LAN1#sh mls netflow ipDisplaying Netflow entries in Active Supervisor EARL in module 5DstIP SrcIP Prot:SrcPort:DstPort Src i/f :AdjPtr-----------------------------------------------------------------------------Pkts Bytes Age LastSeen Attributes---------------------------------------------------172.23.131.5 0.0.0.0 0 :0 :0 Vl130 :0x0202 52554 2 17:04:35 L2 - Dynamic0.0.0.0 0.0.0.0 0 :0 :0 -- :0x013312 6807977 2 17:04:35 L3 - Dynamic172.23.170.64 0.0.0.0 0 :0 :0 Vl130 :0x00 0 2 17:04:34 L2 - Dynamic172.23.170.123 0.0.0.0 0 :0 :0 Vl130 :0x00 0 2 17:04:35 L2 - Dynamic224.0.0.2 172.23.170.3 udp :1985 :1985 Vl130 :0x02 156 1 17:04:35 Multicast
224.0.0.2 172.23.170.3 udp :1985 :1985 Vl130 :0x08 624 6 17:28:03 Multicast172.23.170.181 0.0.0.0 0 :0 :0 Vl130 :0x00 0 5 17:28:03 L2 - Dynamic
The same output info I get on my NetFlow collector.
Anybody know a reason what can prevent of collecting flows correctly?
Thanks.

might want to change the flow mask to full instead of destination. I think that should give you the rest of the info. chris

Asa cmd authorization using acs

Hi all, i was trying to authorize the asa with acs 3.2 on priv lvl 7 using tacacs+,but the users were geting priv-lvl 15 only..
aaa-server aaa_serv protocol tacacs+
aaa-server aaa_serv host 10.0.0.10
key cisco123
aaa authentication serial console tac_serv
aaa authentication telnet console tac_serv
aaa authentication enable console tac_serv
aaa authorization command tac_serv
i had brought some commands also in priv 7 using privilege commandm but the problem is that when i try to login i am geting priv-lvl 15 only not 7.i had set in acs also in tacacs+ seting to assign priv lvl=7 only to the users .. but dnt knw why it is nt wrking ..

ASA does not have any authorization exec command so Priv Level does not work with ASA.
Max privilege(enable attrib. in ACS)works with ASA.
But if you implementing command authorization with ASA no need to configure max priv levels, let them all fall on priv level 15 and control access through command authorization.
2 main commands required for command authorization are
aaa authentication enable console tac_serv (this is because we do not have authorization exec in ASA so enable authentication is required for command auth to work)
aaa authorization command tac_serv

Netflow on cisco me 6523

hello
im trying to get netflow working on a me 6523 to a destination address using udp port 4739 but im not getting anything through wire shark while connected
to a span port on the router or the connecting switch.
Im using the management interface which is using port-channel1

Hi Sean,
Can you try configuring your Cisco switch as below and check.
mls netflow // This enables NetFlow on the Supervisor.
mls nde sender version 7
mls aging long 64 // This breaks up long-lived flows into (roughly) one-minute segments.
mls aging normal 32 // This ensures that flows that have finished are exported in a timely manner.
mls flow ip interface-full
mls nde interface
The next two commands will help to enable NetFlow data export for bridged traffic which is optional. You can specify the list of VLANs here to enable bridged traffic.
ip flow ingress layer2-switched vlan
ip flow export layer2-switched vlan
Apart from this, NetFlow has to be enabled on the MSFC using the below commands.
ip flow egress // This command has to be executed on all the L3/VLAN interfaces.
ip flow-export destination {hostname|ip_address} 9996 // The hostname or IP address of the flow server
ip flow-export source {interface} // The interface through which NetFlow packets are exported. eg: Loopback0
ip flow-export version 9
ip flow-cache timeout active 1
snmp-server ifindex persist
Regards,
Don Thomas Jacob
ManageEngine NetFlow Analyzer

ASA 8.2(5) enable Netflow

Similar Messages

Maybe you are looking for