cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
636
Views
0
Helpful
3
Replies

GDOI \ GETVPN - GM router's traffic not being encrypted

kst.amand
Level 1
Level 1

Group Member(GM) router in a GDOI environment, is not having it's Netflow or Syslog traffic encrypted. Traffic is sourced from the Loopback interface which is included in the Key Server ACL.

All other traffic originating from behind the GM router is encrypted.

Any help?

What debug commands might help pin point how this Netflow traffic is being treated, relative to GDOI?

Thanks in advance.

1 Accepted Solution

Accepted Solutions

ivillegas
Level 6
Level 6

Netflow traffic is not encrypted by default . There is a bug CSCef28662 filed demanding to implement this feature for netflow traffic as well.

View solution in original post

3 Replies 3

ivillegas
Level 6
Level 6

Netflow traffic is not encrypted by default . There is a bug CSCef28662 filed demanding to implement this feature for netflow traffic as well.

Thanks for the response. Considering when following the guidelines of blocking clear text, this presents a challenge.

We have found if in our encryption acl / interesting traffic, even if we put in a deny for the Netflow traffic, we still receive "CRYPTO-4-RECVD_PKT_NOT_IPSEC" for this traffic.

It's looking like we are unable to collect NetFlow data at all.

Suggestions?

Solution found;

Specific 2 way traffic needed to be excluded from GDOI Interesting Traffic ACL;

* Netflow traffic to the Collector - host + port

* ICMP echo-reply traffic from collector to host router

What I had been missing was the ICMP Echo-Reply back from the collector - once identified - SOLUTION FOUND!

I hope this helps others

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: