Having issues while trying to export Netflow data over IPSec ?
Here are some quick checks and resolution to our issue.
Consider the following set-ip
Router ---- ip sec tunnel---ASA--- collector
Some common issues we notice are as follows:
1. The collector seems to work fine when connected on the same subnet as that of the router, but not across the ASA.
2. If there is no IP sec involved, the collector seems to obtain data with the exact same configuration, however when we try exporting over IPsec we have issues.
Quick checks to be made before we proceed
1. Is the collector pingable from the router.
2. Does the collector support the version of Netflow we are trying to configure.
Now let’s take this step by step.
1. We might need to configure Flexible Netflow to support the export of data over IPSec . If we have GRE with IPsec
then we may be able to use traditional netflow as well, as its resolved by CSCte87809 , however if we have a plain
IP sec tunnel we would require to configure FNF as follows.
Here is a sample configuration for FNF
Here are the commands:-
flow exporter FlowExporter1
destination <ip address>
transport udp 9996
flow monitor FlowMonitor1
record netflow ipv4 original-input
cache timeout active 1
int fa 0/0
ip flow monitor FlowMonitor1 input
*Change the source interface, destination, netflow version and trandport udp port as required
I have taken the example as fa 0/0 for the interface
2. Check the version of IOS we are running
CSCsk25481 :- Flexible Netflow export packets not encrypted.
Certain IOS versions which are affected by the above Bug will not export Netflow data over IPSEC, and this scenario is common to both Traditional Netflow and Flexible netflow configuration set-up. The bug has been fixed in the IOS versions 12.4(20)T, 15.0(1)M, 15.1(1)T and onwards in each train.
3. It is very important that we make sure we have the “output-features” command under
the FlowExporter1 configurations.
Note:- To enable sending Flexible NetFlow export packets using quality of service (QoS) or encryption, use the output-features command in Flexible NetFlow flow exporter configuration mode. To disable sending export packets using QoS or encryption, use the no form of this command.
If the router has the output feature quality of service (QoS) or encryption configured, the output-features command causes the output features to be run on Flexible NetFlow export packets.
Use the following commands to verify the working of Flexible netflow
- show running-config flow monitor
- show flow interface type number
- show flow monitor name monitor-name cache format record
- show flow monitor name monitor-name1 cache format table
- show flow exporter exporter-names
- how running-config flow exporter exporter-name
- (Note:- “show ip flow export” will not show us the relevant data when we have flexible netflow .)
Here is a small flowchart representation, relating Traditional netflow with that of flexible netflow for those who may be comfortable with TNF
(Click the image and a larger, clear image will open)
Note: In some versions of Cisco IOS Software the "ip flow ingress" is the equivalent command for "ip route-cache flow."
Click here for more information
Please feel free to comment below...