12-13-2007 06:24 AM - edited 03-09-2019 07:38 PM
Group Member(GM) router in a GDOI environment, is not having it's Netflow or Syslog traffic encrypted. Traffic is sourced from the Loopback interface which is included in the Key Server ACL.
All other traffic originating from behind the GM router is encrypted.
Any help?
What debug commands might help pin point how this Netflow traffic is being treated, relative to GDOI?
Thanks in advance.
Solved! Go to Solution.
12-20-2007 07:12 AM
Netflow traffic is not encrypted by default . There is a bug CSCef28662 filed demanding to implement this feature for netflow traffic as well.
12-20-2007 07:12 AM
Netflow traffic is not encrypted by default . There is a bug CSCef28662 filed demanding to implement this feature for netflow traffic as well.
12-24-2007 06:01 AM
Thanks for the response. Considering when following the guidelines of blocking clear text, this presents a challenge.
We have found if in our encryption acl / interesting traffic, even if we put in a deny for the Netflow traffic, we still receive "CRYPTO-4-RECVD_PKT_NOT_IPSEC" for this traffic.
It's looking like we are unable to collect NetFlow data at all.
Suggestions?
01-02-2008 07:11 AM
Solution found;
Specific 2 way traffic needed to be excluded from GDOI Interesting Traffic ACL;
* Netflow traffic to the Collector - host + port
* ICMP echo-reply traffic from collector to host router
What I had been missing was the ICMP Echo-Reply back from the collector - once identified - SOLUTION FOUND!
I hope this helps others
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: