ASA NetFlow - Incorrect Interface Indices Bug fixed in new ASA IOS
Hi All,
Users monitoring Cisco ASA for NetFlow reports might have come across issues where the interface stats reported did not match with the actual interface. This was found to be caused by a bug in Cisco ASA IOS. The detail of the bug was updated to us by one of our esteemed customer:
There is no 8.2(12) release from Cisco. The 8.2(2) rev that is the latest in the 8.2(x) train. There is a released 8.3(1) rev and according to the resolved caveats, this issue is covered, per the following bug ID:
Please check the below link for more details on the IOS release 8.3 for Cisco ASA:
http://www.cisco.com/en/US/docs/security/asa/asa83/release/notes/asarn83.html#wpxref23321
We request you to check with Cisco and upgrade to this latest IOS version to resolve the mentioned issue.
ManageEngine also introduced enhanced support for Cisco ASA in Version 8. The enhanced reporting allows users to see not just the source and destination IP Address, but also the mapped IP Addresses of NATed traffic passing through ASA.
You now get traffic reports as well as reports for how the NAT translation is taking place on the ASA thus helping verify the mappings.
Do post your suggestions for NetFlow Analyzer and we will be glad to consider them for enhancing the product to meet user requirements.
Regards,
Don Thomas
Users monitoring Cisco ASA for NetFlow reports might have come across issues where the interface stats reported did not match with the actual interface. This was found to be caused by a bug in Cisco ASA IOS. The detail of the bug was updated to us by one of our esteemed customer:
It now seems that Cisco is not moving to a 8.2(12) release, but has come out with the 8.3 Release Train. The update on the status of this bug from one one of our esteemed customer using Cisco ASA is as below:There is currently a ASA bug (ID:CSCtb63825) that will give you inaccurate information. The ASA doesn't use IfTable to store interface names. So NFA may report data for an interface that is actually sourced from a different interface. Cisco has informed that this bug has been fixed in 8.2(12), but that the release is not available yet.
There is no 8.2(12) release from Cisco. The 8.2(2) rev that is the latest in the 8.2(x) train. There is a released 8.3(1) rev and according to the resolved caveats, this issue is covered, per the following bug ID:
|
|
|
There is a good chance that going to the 8.3(x) train will involve a memory upgrade based on the hardware being run on the ASA.
Please check the below link for more details on the IOS release 8.3 for Cisco ASA:
http://www.cisco.com/en/US/docs/security/asa/asa83/release/notes/asarn83.html#wpxref23321
We request you to check with Cisco and upgrade to this latest IOS version to resolve the mentioned issue.
ManageEngine also introduced enhanced support for Cisco ASA in Version 8. The enhanced reporting allows users to see not just the source and destination IP Address, but also the mapped IP Addresses of NATed traffic passing through ASA.
You now get traffic reports as well as reports for how the NAT translation is taking place on the ASA thus helping verify the mappings.
Do post your suggestions for NetFlow Analyzer and we will be glad to consider them for enhancing the product to meet user requirements.
Regards,
Don Thomas