12-13-2007 06:24 AM - edited 03-09-2019 07:38 PM
Group Member(GM) router in a GDOI environment, is not having it's Netflow or Syslog traffic encrypted. Traffic is sourced from the Loopback interface which is included in the Key Server ACL.
All other traffic originating from behind the GM router is encrypted.
Any help?
What debug commands might help pin point how this Netflow traffic is being treated, relative to GDOI?
Thanks in advance.
Solved! Go to Solution.
12-20-2007 07:12 AM
Netflow traffic is not encrypted by default . There is a bug CSCef28662 filed demanding to implement this feature for netflow traffic as well.
12-20-2007 07:12 AM
Netflow traffic is not encrypted by default . There is a bug CSCef28662 filed demanding to implement this feature for netflow traffic as well.
12-24-2007 06:01 AM
Thanks for the response. Considering when following the guidelines of blocking clear text, this presents a challenge.
We have found if in our encryption acl / interesting traffic, even if we put in a deny for the Netflow traffic, we still receive "CRYPTO-4-RECVD_PKT_NOT_IPSEC" for this traffic.
It's looking like we are unable to collect NetFlow data at all.
Suggestions?
01-02-2008 07:11 AM
Solution found;
Specific 2 way traffic needed to be excluded from GDOI Interesting Traffic ACL;
* Netflow traffic to the Collector - host + port
* ICMP echo-reply traffic from collector to host router
What I had been missing was the ICMP Echo-Reply back from the collector - once identified - SOLUTION FOUND!
I hope this helps others
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide