Verify that NSEL Events are Being Sent to the SEC

Use one of two commands to verify that NSEL packets are being sent to the SEC:

  • flow-export counters

  • capture

Use the "flow-export counters" Command to Check for flow-export Packets Being Sent and for NSEL errors

Use the command line interface in Security Cloud Control to send these commands to the ASAs that you have configured for NSEL.

Procedure


Step 1

In the navigation pane, click Security Devices.

Step 2

Click the Devices tab.

Step 3

Click the appropriate device tab and select the ASA you configured to send NSEL events to the SEC.

Step 4

In the Device Actions pane on the right, click Command Line Interface.

Step 5

Reset the flow export counters by running the clear flow-export counters command. This resets the clear export flow counters to zero so that you can easily tell if new events are coming in.

example:

> clear flow-export counters

Done!

Step 6

Run the show flow-export counters command to see the destination of the NSEL packets, how many packets were sent and any errors:

example:

>show flow-export counters

destination: management 209.165.200.225 10425

Statistics:

packets sent 25000

Errors:

block allocation errors 0

invalid interface 0

template send failure 0

no route to collector 0

source port allocation 0

In the output above, the destination line shows the interface on the ASA from which NSEL events are sent, the IP address of the SEC, port 10425 of the SEC. It also shows packets sent of 25000.

If there are no errors and packets are being sent, skip to Verify that NetFlow Packets are Being Received by the Cisco Cloud below.


Error descriptions:

  • block allocation errors-If you receive a block allocation error, the ASA did not allocate memory to the flow-exporter.

    • Recovery action: Call Cisco Technical Assistance Center (TAC).

  • invalid interface-Indicates that you are trying to send NSEL events to the SEC but the interface you've defined for flow export isn't configured to do so.

    • Recovery action: Review the interface you chose when configuring NSEL. We recommend using the management interface, your interface may be different.

  • template send failure-The template you had to define NSEL was not parsed correctly.

  • no route to collector-Indicates there is no network route from the ASA to the SEC.

    • Recovery actions:

      • Make sure that the IP address you used for the SEC when you configured NSEL is correct.

      • Make sure the SEC's status is Active and it has sent a recent heartbeat. See SDC is Unreachable.

      • Make sure the Secure Device Connector's status is Active and it has sent a recent heartbeat.

  • source port allocation-May indicate that there is a bad port on your ASA.