Have 2 ASA's with identical configs; only 1 ASA appears in NTOP

[nygc-jmaldonado]

I can see packets making it to nprobe, NTOP sees ASA from SNMP perspective, flow data for ASA is not making it from nprobe over to ntop. Any idea what this could be?

Some logs....not sure if the unresponsive has anything to do with it.

Jan 14 00:15:03 ntop ntopng: Host 10.99.99.27 is unresponsive
Jan 14 00:15:03 ntop ntopng: Host 192.168.250.2 is unresponsive
Jan 14 00:15:03 ntop ntopng: Host 10.99.99.23 is unresponsive
Jan 14 00:15:03 ntop ntopng: Host 10.99.99.6 is unresponsive
Jan 14 00:15:03 ntop ntopng: Host 10.99.99.22 is unresponsive
Jan 14 00:55:02 ntop ntopng: Host 10.99.99.21 is unresponsive
Jan 14 00:55:02 ntop ntopng: Host 10.99.99.6 is unresponsive
Jan 14 00:55:02 ntop ntopng: Host 10.99.99.26 is unresponsive
Jan 14 00:55:02 ntop ntopng: Host 10.99.99.25 is unresponsive
Jan 14 00:55:02 ntop ntopng: Host 10.99.99.12 is unresponsive
-bash-4.2$ 

14/Jan/2021 00:15:03 [5min.lua:26] [ts_5min_dump_utils.lua:475] ERROR [tcp://10.1.28.91:5556]Cannot complete local hosts timeseries dump. Disk slow or too many local hosts?```

[simonemainardi]

Show nprobe and ntopng config used please

[nygc-jmaldonado]

NTOP

-bash-4.2$ cat /etc/nt ntopng/ ntopng.license ntp/ ntp.conf -bash-4.2$ cat /etc/ntopng/ntopng.conf

The configuration file is similar to the command line, with the exception that an equal

sign '=' must be used between key and value. Example: -i=p1p2 or --interface=p1p2 For

options with no value (e.g. -v) the equal is also necessary. Example: "-v=" must be used.

# #

-G|--pid-path

Specifies the path where the PID (process ID) is saved. This option is ignored when

ntopng is controlled with systemd (e.g., service ntopng start).

#

-G=/var/run/ntopng.pid

-G=/var/run/ntopng.pid --online-license-check

-e|--daemon

This parameter causes ntop to become a daemon, i.e. a task which runs in the background

without connection to a specific terminal. To use ntop other than as a casual monitoring

tool, you probably will want to use this option. This option is ignored when ntopng is

controlled with systemd (e.g., service ntopng start)

#

-e=

--daemon

#

-i|--interface

Specifies the network interface or collector endpoint to be used by ntopng for network

monitoring. On Unix you can specify both the interface name (e.g. lo) or the numeric

interface id as shown by ntopng -h. On Windows you must use the interface number instead.

Note that you can specify -i multiple times in order to instruct ntopng to create multi-

ple interfaces.

#

-i=eth0

-i=eth1

-i=eth2

--interface="tcp://10.1.28.91:5556"

#

-w|--http-port

Sets the HTTP port of the embedded web server.

#

-w=3000

#

-m|--local-networks

ntopng determines the ip addresses and netmasks for each active interface. Any traffic on

those networks is considered local. This parameter allows the user to define additional

networks and subnetworks whose traffic is also considered local in ntopng reports. All

other hosts are considered remote. If not specified the default is set to 192.168.1.0/24.

#

Commas separate multiple network values. Both netmask and CIDR notation may be used,

even mixed together, for instance "131.114.21.0/24,10.0.0.0/255.0.0.0".

#

-m=10.10.123.0/24

-m=10.10.124.0/24

--local-networks="10.0.0.0/8, 172.16.0.0/20, 192.168.0.0/16"

#

-n|--dns-mode

Sets the DNS address resolution mode: 0 - Decode DNS responses and resolve only local

(-m) numeric IPs 1 - Decode DNS responses and resolve all numeric IPs 2 - Decode DNS

responses and don't resolve numeric IPs 3 - Don't decode DNS responses and don't resolve

#

-n=1

#

-S|--sticky-hosts

ntopng periodically purges idle hosts. With this option you can modify this behaviour by

telling ntopng not to purge the hosts specified by -S. This parameter requires an argu-

ment that can be "all" (Keep all hosts in memory), "local" (Keep only local hosts),

"remote" (Keep only remote hosts), "none" (Flush hosts when idle).

#

-S=

--sticky-hosts

#

-d|--data-dir

Specifies the data directory (it must be writable by the user that is executing ntopng).

#

-d=/var/tmp/ntopng

#

-q|--disable-autologout

Disable web interface logout for inactivity.

#

-q=

--max-num-flows=200000 --max-num-hosts=250000 --enable-aggregations -bash-4.2$

---

This message is for the recipient’s use only, and may contain confidential, privileged or protected information. Any unauthorized use or dissemination of this communication is prohibited. If you received this message in error, please immediately notify the sender and destroy all copies of this message. The recipient should check this email and any attachments for the presence of viruses, as we accept no liability for any damage caused by any virus transmitted by this email.

[nygc-jmaldonado]

NPROBE

-bash-4.2$ cat /etc/nprobe/nprobe cat: /etc/nprobe/nprobe: No such file or directory -bash-4.2$ cat /etc/nprobe/nprobe nprobe.conf nprobe.conf.ntopng.sample nprobe-eth0.conf nprobe-none.conf nprobe-none.start.migrated -bash-4.2$ cat /etc/nprobe/nprobe.conf

The configuration file is similar to the command line, with the exception that an equal

sign '=' must be used between key and value. Example: -i=p1p2 or --interface=p1p2 For

options with no value (e.g. -v) the equal is also necessary. Example: "-v=" must be used.

# #

Parameters here

--online-license-check -i=none

-n=10.1.28.70:5556

--zmq="tcp://*:5556" -3=2055

Explanation For Parameters Below

# #

-g|--pid-file

Specifies the path where the PID (process ID) is saved. This option is ignored when

nProbe is controlled with systemd (e.g., service nProbe start).

#

-G=/var/run/nprobe.pid

#

-G|--daemon-mode

This parameter causes nProbe to become a daemon, i.e. a task which runs in background

without connection to a specific terminal. To use nProbe other than as a casual monitoring

tool, you probably will want to use this option. This option is ignored when nProbe is

controlled with systemd (e.g., service nProbe start)

#

-G=

#

-i|--interface

Specifies the physical network interface that nProbe will use to perform the

monitoring. On Unix you can specify the interface name (e.g. -i lo) whereas on Windows

you must use the interface number instead (see -h to see the list of numeric ids).

To disable monitoring from physical interfaces (e.g., when nProbe is used in

collector-only mode) specify -i=none

#

-i=eth1

#

-n|--collector

Specifies the NetFlow collector that will be used by nProbe to send the monitored

flows. This option can be specified multiple times to deliver monitored flows to

multiple collectors in round-robin mode. To disable flow export to NetFlow collectors

specify -n=none

#

-n=none

#

-3|--collector-port

Specifies the port that is being used by a NetFlow exporter to send NetFlow to nProbe.

Multiple NetFlow exporters can symultaneously send data to nProbe using the same port.

In case no NetFlow exporter is sending data it is safe to skip this option.

# -bash-4.2$

From: Simone Mainardi notifications@github.com Reply-To: ntop/ntopng reply@reply.github.com Date: Thursday, January 14, 2021 at 2:59 AM To: ntop/ntopng ntopng@noreply.github.com Cc: Justin Maldonado jmaldonado@NYGENOME.ORG, Author author@noreply.github.com Subject: Re: [ntop/ntopng] Have 2 ASA's with identical configs; only 1 ASA appears in NTOP (#4910)

Show nprobe and ntopng config used please

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://urldefense.com/v3/__https:/github.com/ntop/ntopng/issues/4910*issuecomment-760002313__;Iw!!C6sPl7C9qQ!GsCFF7nqRi752rHgZOlvG_MmF_QrTjiRFbMcUPpgcwzqXCE1Erf6tciB-vLB7TmDY5g$, or unsubscribehttps://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/AH7JEH25RMIDQN6U2ZB3VA3SZ2P67ANCNFSM4WCAOI6Q__;!!C6sPl7C9qQ!GsCFF7nqRi752rHgZOlvG_MmF_QrTjiRFbMcUPpgcwzqXCE1Erf6tciB-vLBrLnordk$.

---

This message is for the recipient’s use only, and may contain confidential, privileged or protected information. Any unauthorized use or dissemination of this communication is prohibited. If you received this message in error, please immediately notify the sender and destroy all copies of this message. The recipient should check this email and any attachments for the presence of viruses, as we accept no liability for any damage caused by any virus transmitted by this email.

[simonemainardi]

Visit the interface page under ntopng. See if collected ZMQ messages increase or if it stays at zero. This will allow us to understand if nprobe and ntopng can communicate correctly.

[nygc-jmaldonado]

Collected messages are increasing

Get Outlook for iOShttps://aka.ms/o0ukef

---

From: Simone Mainardi notifications@github.com Sent: Thursday, January 14, 2021 5:03:38 AM To: ntop/ntopng ntopng@noreply.github.com Cc: Justin Maldonado jmaldonado@nygenome.org; Author author@noreply.github.com Subject: Re: [ntop/ntopng] Have 2 ASA's with identical configs; only 1 ASA appears in NTOP (#4910)

Visit the interface page under ntopng. See if collected ZMQ messages increase or if it stays at zero. This will allow us to understand if nprobe and ntopng can communicate correctly.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://urldefense.com/v3/__https://github.com/ntop/ntopng/issues/4910*issuecomment-760092218__;Iw!!C6sPl7C9qQ!CCrniECSSb2tIJkzdf-CZcnN7AFBEGjK24gGskLKNUBmJYxaW8mje5tdM8d8TeM2WKs$, or unsubscribehttps://urldefense.com/v3/__https://github.com/notifications/unsubscribe-auth/AH7JEH4RMJWIGAIXLDWJOYLSZ26PVANCNFSM4WCAOI6Q__;!!C6sPl7C9qQ!CCrniECSSb2tIJkzdf-CZcnN7AFBEGjK24gGskLKNUBmJYxaW8mje5tdM8d8914-79I$.

---

This message is for the recipient’s use only, and may contain confidential, privileged or protected information. Any unauthorized use or dissemination of this communication is prohibited. If you received this message in error, please immediately notify the sender and destroy all copies of this message. The recipient should check this email and any attachments for the presence of viruses, as we accept no liability for any damage caused by any virus transmitted by this email.

[nygc-jmaldonado]

Also to note, 1 ASA ( 5555 ) appears and disappears from the list of flow exporters. The other ASA ( 5585-x SSP-40) never appears. Configs are identical.

Nprobe sees the traffic from both.

From: Simone Mainardi notifications@github.com Reply-To: ntop/ntopng reply@reply.github.com Date: Thursday, January 14, 2021 at 5:03 AM To: ntop/ntopng ntopng@noreply.github.com Cc: Justin Maldonado jmaldonado@NYGENOME.ORG, Author author@noreply.github.com Subject: Re: [ntop/ntopng] Have 2 ASA's with identical configs; only 1 ASA appears in NTOP (#4910)

Visit the interface page under ntopng. See if collected ZMQ messages increase or if it stays at zero. This will allow us to understand if nprobe and ntopng can communicate correctly.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://urldefense.com/v3/__https:/github.com/ntop/ntopng/issues/4910*issuecomment-760092218__;Iw!!C6sPl7C9qQ!CCrniECSSb2tIJkzdf-CZcnN7AFBEGjK24gGskLKNUBmJYxaW8mje5tdM8d8TeM2WKs$, or unsubscribehttps://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/AH7JEH4RMJWIGAIXLDWJOYLSZ26PVANCNFSM4WCAOI6Q__;!!C6sPl7C9qQ!CCrniECSSb2tIJkzdf-CZcnN7AFBEGjK24gGskLKNUBmJYxaW8mje5tdM8d8914-79I$.

---

This message is for the recipient’s use only, and may contain confidential, privileged or protected information. Any unauthorized use or dissemination of this communication is prohibited. If you received this message in error, please immediately notify the sender and destroy all copies of this message. The recipient should check this email and any attachments for the presence of viruses, as we accept no liability for any damage caused by any virus transmitted by this email.

[nygc-jmaldonado]

Do you want to jump on a webex ?

[nygc-jmaldonado]

Hey there,

Any ideas as to what this could be ?

[simonemainardi]

Attach ntopng and nprobe configs

[nygc-jmaldonado]

Both configs attached are attached.

---

From: Simone Mainardi notifications@github.com Sent: Monday, January 18, 2021 6:38 AM To: ntop/ntopng Cc: Justin Maldonado; Author Subject: Re: [ntop/ntopng] Have 2 ASA's with identical configs; only 1 ASA appears in NTOP (#4910)

Attach ntopng and nprobe configs

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://urldefense.com/v3/__https://github.com/ntop/ntopng/issues/4910*issuecomment-762192803__;Iw!!C6sPl7C9qQ!BvZd7ISzRmCjUuCpfk71jVEiyCY-14Mwj1PgCIpxskNTx43SrDPM-PJ59nVHwgqqFL0$, or unsubscribehttps://urldefense.com/v3/__https://github.com/notifications/unsubscribe-auth/AH7JEH4XXLEGBI6ZH3TUUGDS2QMRVANCNFSM4WCAOI6Q__;!!C6sPl7C9qQ!BvZd7ISzRmCjUuCpfk71jVEiyCY-14Mwj1PgCIpxskNTx43SrDPM-PJ59nVHQXiYOqY$.

---

This message is for the recipient’s use only, and may contain confidential, privileged or protected information. Any unauthorized use or dissemination of this communication is prohibited. If you received this message in error, please immediately notify the sender and destroy all copies of this message. The recipient should check this email and any attachments for the presence of viruses, as we accept no liability for any damage caused by any virus transmitted by this email.

-bash-4.2$ cat /etc/ntopng/ntopng.conf

The configuration file is similar to the command line, with the exception that an equal

sign '=' must be used between key and value. Example: -i=p1p2 or --interface=p1p2 For

options with no value (e.g. -v) the equal is also necessary. Example: "-v=" must be used.

# #

-G|--pid-path

Specifies the path where the PID (process ID) is saved. This option is ignored when

ntopng is controlled with systemd (e.g., service ntopng start).

#

-G=/var/run/ntopng.pid

-G=/var/run/ntopng.pid --online-license-check

-e|--daemon

This parameter causes ntop to become a daemon, i.e. a task which runs in the background

without connection to a specific terminal. To use ntop other than as a casual monitoring

tool, you probably will want to use this option. This option is ignored when ntopng is

controlled with systemd (e.g., service ntopng start)

#

-e=

--daemon

#

-i|--interface

Specifies the network interface or collector endpoint to be used by ntopng for network

monitoring. On Unix you can specify both the interface name (e.g. lo) or the numeric

interface id as shown by ntopng -h. On Windows you must use the interface number instead.

Note that you can specify -i multiple times in order to instruct ntopng to create multi-

ple interfaces.

#

-i=eth0

-i=eth1

-i=eth2

--interface="tcp://10.1.28.91:5556"

#

-w|--http-port

Sets the HTTP port of the embedded web server.

#

-w=3000

#

-m|--local-networks

ntopng determines the ip addresses and netmasks for each active interface. Any traffic on

those networks is considered local. This parameter allows the user to define additional

networks and subnetworks whose traffic is also considered local in ntopng reports. All

other hosts are considered remote. If not specified the default is set to 192.168.1.0/24.

#

Commas separate multiple network values. Both netmask and CIDR notation may be used,

even mixed together, for instance "131.114.21.0/24,10.0.0.0/255.0.0.0".

#

-m=10.10.123.0/24

-m=10.10.124.0/24

--local-networks="10.0.0.0/8, 172.16.0.0/20, 192.168.0.0/16"

#

-n|--dns-mode

Sets the DNS address resolution mode: 0 - Decode DNS responses and resolve only local

(-m) numeric IPs 1 - Decode DNS responses and resolve all numeric IPs 2 - Decode DNS

responses and don't resolve numeric IPs 3 - Don't decode DNS responses and don't resolve

#

-n=1

#

-S|--sticky-hosts

ntopng periodically purges idle hosts. With this option you can modify this behaviour by

telling ntopng not to purge the hosts specified by -S. This parameter requires an argu-

ment that can be "all" (Keep all hosts in memory), "local" (Keep only local hosts),

"remote" (Keep only remote hosts), "none" (Flush hosts when idle).

#

-S=

--sticky-hosts

#

-d|--data-dir

Specifies the data directory (it must be writable by the user that is executing ntopng).

#

-d=/var/tmp/ntopng

#

-q|--disable-autologout

Disable web interface logout for inactivity.

#

-q=

--max-num-flows=200000 --max-num-hosts=250000 --enable-aggregations

cat /etc/nprobe/nprobe.conf

[root@nprobe ~]# cat /etc/nprobe/nprobe.conf

The configuration file is similar to the command line, with the exception that an equal

sign '=' must be used between key and value. Example: -i=p1p2 or --interface=p1p2 For

options with no value (e.g. -v) the equal is also necessary. Example: "-v=" must be used.

# #

Parameters here

--online-license-check -i=none

-n=10.1.28.70:5556

--zmq="tcp://*:5556" -3=2055

Explanation For Parameters Below

# #

-g|--pid-file

Specifies the path where the PID (process ID) is saved. This option is ignored when

nProbe is controlled with systemd (e.g., service nProbe start).

#

-G=/var/run/nprobe.pid

#

-G|--daemon-mode

This parameter causes nProbe to become a daemon, i.e. a task which runs in background

without connection to a specific terminal. To use nProbe other than as a casual monitoring

tool, you probably will want to use this option. This option is ignored when nProbe is

controlled with systemd (e.g., service nProbe start)

#

-G=

#

-i|--interface

Specifies the physical network interface that nProbe will use to perform the

monitoring. On Unix you can specify the interface name (e.g. -i lo) whereas on Windows

you must use the interface number instead (see -h to see the list of numeric ids).

To disable monitoring from physical interfaces (e.g., when nProbe is used in

collector-only mode) specify -i=none

#

-i=eth1

#

-n|--collector

Specifies the NetFlow collector that will be used by nProbe to send the monitored

flows. This option can be specified multiple times to deliver monitored flows to

multiple collectors in round-robin mode. To disable flow export to NetFlow collectors

specify -n=none

#

-n=none

#

-3|--collector-port

Specifies the port that is being used by a NetFlow exporter to send NetFlow to nProbe.

Multiple NetFlow exporters can symultaneously send data to nProbe using the same port.

In case no NetFlow exporter is sending data it is safe to skip this option.

[simonemainardi]

Jump on the nprobe machine and execute 1 minute each command

sudo tcpdump -nnei <incoming netflow interface> udp and port 2055 and host <IP of the first asa> -s0 -w first_asa.pcap
sudo tcpdump -nnei <incoming netflow interface> udp and port 2055 and host <IP of the second asa> -s0 -w second_asa.pcap

Then, send me those files for inspection. My guess is that you are not getting data or templates and so nProbe doesn't know how to interpret NetFlow. You can send using mainardi at ntop dot org

[simonemainardi]

Second ASA seems not to be reporting templates as we have verified via the pcap provided

Without templates, it is impossible for nProbe to parse NetFlow. Check the ASA, make sure it exports templates periodically, every 10-30 seconds.

[nygc-jmaldonado]

Both are configured identically, neither is showing up in ntopng. The only difference is what interface the ASA chooses to send packets out.

1st ASA

access-list flow_export_acl extended permit ip any any

flow-export destination inside 10.1.x.91 2055 flow-export template timeout-rate 5 flow-export active refresh-interval 1

class-map flow_export_class match access-list flow_export_acl class flow_export_class flow-export event-type all destination 10.1.x.91

2nd ASA

access-list flow_export_acl extended permit ip any any log

flow-export destination management 10.1.x.912055 flow-export template timeout-rate 5 flow-export active refresh-interval 1

class-map flow_export_class match access-list flow_export_acl class flow_export_class flow-export event-type all destination 10.1.x.91

From: Simone Mainardi notifications@github.com Reply-To: ntop/ntopng reply@reply.github.com Date: Monday, January 25, 2021 at 4:48 AM To: ntop/ntopng ntopng@noreply.github.com Cc: Justin Maldonado jmaldonado@NYGENOME.ORG, Author author@noreply.github.com Subject: Re: [ntop/ntopng] Have 2 ASA's with identical configs; only 1 ASA appears in NTOP (#4910)

Second ASA seems not to be reporting templates as we have verified via the pcap provided

[image]https://urldefense.com/v3/__https:/user-images.githubusercontent.com/3397663/105689200-bff0db00-5efa-11eb-8393-e6261bbe3520.png__;!!C6sPl7C9qQ!Dqa8ImCBhUfbawx7nSaIymvvNXkw3nENalsh45MFeClXIRzEjGMuFcKhBqDLa6qGI_g$

Without templates, it is impossible for nProbe to parse NetFlow. Check the ASA, make sure it exports templates periodically, every 10-30 seconds.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://urldefense.com/v3/__https:/github.com/ntop/ntopng/issues/4910*issuecomment-766692023__;Iw!!C6sPl7C9qQ!Dqa8ImCBhUfbawx7nSaIymvvNXkw3nENalsh45MFeClXIRzEjGMuFcKhBqDLV86vKRY$, or unsubscribehttps://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/AH7JEHZJHIGBYN4AYVZTOZ3S3U47LANCNFSM4WCAOI6Q__;!!C6sPl7C9qQ!Dqa8ImCBhUfbawx7nSaIymvvNXkw3nENalsh45MFeClXIRzEjGMuFcKhBqDLnlggycw$.

---

This message is for the recipient’s use only, and may contain confidential, privileged or protected information. Any unauthorized use or dissemination of this communication is prohibited. If you received this message in error, please immediately notify the sender and destroy all copies of this message. The recipient should check this email and any attachments for the presence of viruses, as we accept no liability for any damage caused by any virus transmitted by this email.

[simonemainardi]

I am not familiar with ASA but unless you configure them to export templates, there's no way for nprobe to parse their netflow. Can you check this?

[nygc-jmaldonado]

Templates ae being sent. This is what I get when I start nprobe.

[root@nprobe ~]# nprobe /etc/nprobe/nprobe.conf 27/Jan/2021 08:41:03 [nprobe.c:5044] Reading configuration file /etc/nprobe/nprobe.conf 27/Jan/2021 08:41:03 [plugin.c:177] No plugins found in ./plugins 27/Jan/2021 08:41:03 [plugin.c:185] Loading 23 plugins [.so] from /usr/local/lib/nprobe/plugins 27/Jan/2021 08:41:03 [nprobe.c:2462] Contacting licensing server. Please hold on... 27/Jan/2021 08:41:05 [nprobe.c:4623] Valid nProbe Pro license found 27/Jan/2021 08:41:05 [nprobe.c:6675] WARNING: The output interfaceId is set to 0: did you forget to use -Q perhaps ? 27/Jan/2021 08:41:05 [nprobe.c:6678] WARNING: The input interfaceId is set to 0: did you forget to use -u perhaps ? 27/Jan/2021 08:41:05 [nprobe.c:6684] WARNING: You have specified --zmq and not specified -n. 27/Jan/2021 08:41:05 [nprobe.c:6685] WARNING: We believe you want to use just ZMQ and no netflow export 27/Jan/2021 08:41:05 [nprobe.c:6686] WARNING: Setting flow export to -n none 27/Jan/2021 08:41:05 [nprobe.c:6765] Welcome to Pro nProbe v.9.0.200522 ($Revision: 6820 $) for x86_64-unknown-linux-gnu with native PF_RING acceleration 27/Jan/2021 08:41:05 [nprobe.c:6776] Running on CentOS Linux release 7.7.1908 (Core) 27/Jan/2021 08:41:05 [nprobe.c:6787] [LICENSE] nProbe SystemId: 688FBED676066B1F 27/Jan/2021 08:41:05 [nprobe.c:6858] Sample rate [packet: 1][flow collection/export: 1/1]

27/Jan/2021 08:41:05 [nprobe.c:9707] Welcome to nProbe v.9.0.200522 for x86_64-unknown-linux-gnu 27/Jan/2021 08:41:05 [nprobe.c:8664] Using default template %IN_SRC_MAC %OUT_DST_MAC %INPUT_SNMP %OUTPUT_SNMP %SRC_VLAN %IPV4_SRC_ADDR %IPV4_DST_ADDR %L4_SRC_PORT %L4_DST_PORT %IPV6_SRC_ADDR %IPV6_DST_ADDR %IP_PROTOCOL_VERSION %PROTOCOL %L7_PROTO %IN_BYTES %IN_PKTS %OUT_BYTES %OUT_PKTS %FIRST_SWITCHED %LAST_SWITCHED %CLIENT_TCP_FLAGS %SERVER_TCP_FLAGS 27/Jan/2021 08:41:05 [nprobe.c:8551] WARNING: Adding %EXPORTER_IPV4_ADDRESS to the template as nProbe is working as collector

27/Jan/2021 08:41:05 [nprobe.c:8669] Using NetFlow Packet Payload Len: 1472

27/Jan/2021 08:41:05 [nprobe.c:8704] Flow export type: bidirectional flows 27/Jan/2021 08:41:05 [plugin.c:1309] 0 plugin(s) enabled 27/Jan/2021 08:41:05 [nprobe.c:9142] Each flow is 104 bytes long 27/Jan/2021 08:41:05 [nprobe.c:9143] The # flows per packet has been set to 13 27/Jan/2021 08:41:05 [nprobe.c:9146] IP TOS is ignored 27/Jan/2021 08:41:05 [nprobe.c:9990] Flows ASs will not be computed (no GeoDB files loaded) 27/Jan/2021 08:41:05 [nprobe.c:10095] Not capturing packet from interface (collector mode) 27/Jan/2021 08:41:05 [util.c:5025] Initializing ZMQ as server 27/Jan/2021 08:41:05 [util.c:5102] ERROR: Unable to bind ZMQ endpoint tcp://*:5556: Address already in use 27/Jan/2021 08:41:05 [util.c:4033] Enlarged socket buffer [echo 8388608 > /proc/sys/net/core/rmem_max] 27/Jan/2021 08:41:05 [util.c:4074] nProbe changed user to 'nprobe' 27/Jan/2021 08:41:05 [collect.c:192] Flow collector listening on port 2055 (IPv4/v6) 27/Jan/2021 08:41:05 [export.c:543] Using TLV as serialization format 27/Jan/2021 08:41:05 [nprobe.c:10361] nProbe started successfully

From: Simone Mainardi notifications@github.com Reply-To: ntop/ntopng reply@reply.github.com Date: Monday, January 25, 2021 at 12:04 PM To: ntop/ntopng ntopng@noreply.github.com Cc: Justin Maldonado jmaldonado@NYGENOME.ORG, Author author@noreply.github.com Subject: Re: [ntop/ntopng] Have 2 ASA's with identical configs; only 1 ASA appears in NTOP (#4910)

I am not familiar with ASA but unless you configure them to export templates, there's no way for nprobe to parse their netflow. Can you check this?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://urldefense.com/v3/__https:/github.com/ntop/ntopng/issues/4910*issuecomment-766962399__;Iw!!C6sPl7C9qQ!Ebs0-qSq0Iq1UVfezwFCRahUPMtURcWQQxkayUdN6GlNW31n0srof7_C28-OcEhAjzY$, or unsubscribehttps://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/AH7JEH3T2Z7V2C2MLVPHKODS3WQA7ANCNFSM4WCAOI6Q__;!!C6sPl7C9qQ!Ebs0-qSq0Iq1UVfezwFCRahUPMtURcWQQxkayUdN6GlNW31n0srof7_C28-OT7Gs0hE$.

---

This message is for the recipient’s use only, and may contain confidential, privileged or protected information. Any unauthorized use or dissemination of this communication is prohibited. If you received this message in error, please immediately notify the sender and destroy all copies of this message. The recipient should check this email and any attachments for the presence of viruses, as we accept no liability for any damage caused by any virus transmitted by this email.

[simonemainardi]

Someone is already using that port.

27/Jan/2021 08:41:05 [util.c:5102] ERROR: Unable to bind ZMQ endpoint tcp://*:5556: Address already in use 

Check with net stat, kill the process using it, and restart.

[nygc-jmaldonado]

Ok was able to resolve that issue. Killed the process.

Was able to also resolve the ASA Netflow issue by adding -n with the target address ( ntopng:5556)

--online-license-check -i=none -n=10.1.28.70:5556 --zmq="tcp://*:5556" -3=2055

From: Simone Mainardi notifications@github.com Reply-To: ntop/ntopng reply@reply.github.com Date: Wednesday, January 27, 2021 at 9:34 AM To: ntop/ntopng ntopng@noreply.github.com Cc: Justin Maldonado jmaldonado@NYGENOME.ORG, Author author@noreply.github.com Subject: Re: [ntop/ntopng] Have 2 ASA's with identical configs; only 1 ASA appears in NTOP (#4910)

Someone is already using that port.

27/Jan/2021 08:41:05 [util.c:5102] ERROR: Unable to bind ZMQ endpoint tcp://*:5556: Address already in use

Check with net stat, kill the process using it, and restart.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://urldefense.com/v3/__https:/github.com/ntop/ntopng/issues/4910*issuecomment-768326480__;Iw!!C6sPl7C9qQ!F7Xua1IziQS5eenCHqCLuI_h_d4MBKT3NyzhTWBO0kHA8zECpPXpMTMnXkfr2rCiUnk$, or unsubscribehttps://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/AH7JEH7ZTXKRF7OAMKLUTP3S4AQATANCNFSM4WCAOI6Q__;!!C6sPl7C9qQ!F7Xua1IziQS5eenCHqCLuI_h_d4MBKT3NyzhTWBO0kHA8zECpPXpMTMnXkfrOV7wiq4$.

---

This message is for the recipient’s use only, and may contain confidential, privileged or protected information. Any unauthorized use or dissemination of this communication is prohibited. If you received this message in error, please immediately notify the sender and destroy all copies of this message. The recipient should check this email and any attachments for the presence of viruses, as we accept no liability for any damage caused by any virus transmitted by this email.