Flexible-Netflow from router on IPSec VPN Tunnel

Unanswered Question
Jan 12th, 2009
User Badges:

Hi all,

I'm trying to collect netflow data from a remote site which only has one Cisco 881 router and is connected to our corporate WAN using an IPSec VPN tunnel. According to Cisco and bug CSCsk25481 it appears as though only the new “Flexible-Netflow” will work over IPSec VPN tunnels when the router that generates the IPSec VPN tunnel is trying to send netflow info, as long as you have IOS version 12.4(17.2)T. I've tried to configure this using the commands below but it still doesn't send any netflow data to our NTA. The router is being monitored by Solarwinds Orion using the Lo0 IP address. The VPN tunnel does go through a firewall but all ports are open for VPN's for both UDP and TCP.

Here's what Cisco say…

IOS does not encrypt NetFlow export packets which originate from the router itself. This is day 0

functionality as features are not applied to NetFlow export packets and never have been.

The solution to this does not fix the above for Cisco's older netflow-switch code but rather

provides the ability to encrypt outgoing NetFlow export packets for the newer flexible-netflow


Here's the config on the router…

flow exporter export-to-DCRAP014


source Loopback0

transport udp 9996



flow monitor flow-monitor

record netflow-original

exporter export-to-DCRAP014

interface FastEthernet4

ip flow monitor flow-monitor input

ip flow monitor flow-monitor output

interface Vlan1

ip address

ip flow monitor flow-monitor input

ip flow monitor flow-monitor output

Is my config of the router wrong or am I missing something?

wireshark also doesn't pick up any traffic from the remote router on the Orion server so it doesn't look like the router is sending anything.

many thanks


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
d.hodgson Wed, 01/14/2009 - 02:44
User Badges:

Can anyone please help me with this, even guess at what it could be or point me in a direction where I might find more help?

many thanks


jonathanaxford Fri, 01/16/2009 - 08:23
User Badges:
  • Bronze, 100 points or more

Not just yet - i am having the same problem with a Cisco 1801 using a VPN tunnel to a fortigate firewall!

Currently using standard netflow, haven't experimented with flexible netflow yet, let me know if yo ucome across anything, i'll do the same!



d.hodgson Sat, 01/17/2009 - 02:11
User Badges:

Hi Jonathan,

I was just told by solarwinds that they don't support flexible netflow so I don't think I'll be taking this any further. It seems I'll just have to rely on ip accunting on the router to help debug issues.

I hope you find a solution.


jonathanaxford Mon, 01/19/2009 - 00:57
User Badges:
  • Bronze, 100 points or more

Hi Dave,

Thanks for that, it is worth knowing. We are currently trialing the Fluke NetFLOW tracker analyser, so will probably see if that will support it.

Another possible soloution is to use "Virtual Tunnel INterfaces" as opposded to standard interface crypto map statements - apparently this may get the standard netflow exporting correctly.


This Discussion