Verify that NSEL Events are Being Sent to the SEC
Use one of two commands to verify that NSEL packets are being sent to the SEC:
-
flow-export counters
-
capture
Use the "flow-export counters" Command to Check for flow-export Packets Being Sent and for NSEL errors
-
Make sure you have configured your ASA to send NSEL events to the SEC. See Configuring NSEL for ASA Devices Using a Security Cloud Control Macro.
-
The SEC IP address is the flow collector address for NSEL events. If you have onboarded more than one SEC to your tenant, be sure you are using the correct IP address.
-
Find the UDP port number used to forward NetFlow events. See Finding Your Device's TCP, UDP, and NSEL Port Used for Cisco Security Analytics and Logging.
-
Our recommended interface on the ASA from which to send NSEL events is the management interface; your interface may be different.
Use the command line interface in Security Cloud Control to send these commands to the ASAs that you have configured for NSEL.
Procedure
Step 1 | In the navigation pane, click Security Devices. |
Step 2 | Click the Devices tab. |
Step 3 | Click the appropriate device tab and select the ASA you configured to send NSEL events to the SEC. |
Step 4 | In the Device Actions pane on the right, click Command Line Interface. |
Step 5 | Reset the flow export counters by running the example: >
|
Step 6 | Run the show flow-export counters command to see the destination of the NSEL packets, how many packets were sent and any errors: example:
>show flow-export counters
In the output above, the destination line shows the interface on the ASA from which NSEL events are sent, the IP address of the SEC, port 10425 of the SEC. It also shows packets sent of 25000. If there are no errors and packets are being sent, skip to Verify that NetFlow Packets are Being Received by the Cisco Cloud below. |
Error descriptions:
-
block allocation errors-If you receive a block allocation error, the ASA did not allocate memory to the flow-exporter.
-
Recovery action: Call Cisco Technical Assistance Center (TAC).
-
-
invalid interface-Indicates that you are trying to send NSEL events to the SEC but the interface you've defined for flow export isn't configured to do so.
-
Recovery action: Review the interface you chose when configuring NSEL. We recommend using the management interface, your interface may be different.
-
-
template send failure-The template you had to define NSEL was not parsed correctly.
-
Recovery action: Contact Security Cloud Control support.
-
-
no route to collector-Indicates there is no network route from the ASA to the SEC.
-
Recovery actions:
-
Make sure that the IP address you used for the SEC when you configured NSEL is correct.
-
Make sure the SEC's status is Active and it has sent a recent heartbeat. See SDC is Unreachable.
-
Make sure the Secure Device Connector's status is Active and it has sent a recent heartbeat.
-
-
-
source port allocation-May indicate that there is a bad port on your ASA.