IPSec Tunnel and NetFlow Packets

Answered Question
Mar 3rd, 2008
User Badges:

I have a 1841 router running IPSec with an ASA. F0/0 is the source interface. I also configured NetFlow, which is to be sent via the IPSec tunnel to the analyzer. The acl defining the IPSec interesting traffic covers the NetFlow source and destination addresses. But NetFlow traffic is not picked up by the tunnel. When I ping the destination from the router, the icmp traffic is picked up and goes through the tunnel. Are there ways to force NetFlow traffic to go to the tunnel?

Thanks.

Correct Answer by cleidh_mor about 9 years 3 weeks ago

Is there a route to the netflow destination address? I've seen issues with traffic that was headed for a destination that wasn't in the routing table not being sent down a VPN.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
cleidh_mor Mon, 03/03/2008 - 06:47
User Badges:

Is there a route to the netflow destination address? I've seen issues with traffic that was headed for a destination that wasn't in the routing table not being sent down a VPN.

Chuan Liu Mon, 03/03/2008 - 12:13
User Badges:

Yes, I have a static host route. the traffic is always sent to the next hop router, not into the IPSec tunnel that is defined by the acl.

Chuan Liu Mon, 03/03/2008 - 14:14
User Badges:

Hi,


The problem is solved by the static route pointing to the outgoing interface instead of the next-hop address.


Thanks for directing me to think in the correct way.

Actions

This Discussion