NetFlow and host unreachable

Unanswered Question
Apr 29th, 2009
User Badges:

We have a remote site using site to site VPN connected to headquarter. We want to setup NetFlow on the romote router and send the NetFlow packet back to the collection server in the headquarter, the NetFlow works fine on the remote router, but NetFlow packets can't send it to the Collection server in the Headquarter.

Enclosed are the network diagram and the configuration of the remote router.

We have tried the followings.

1. Can't directly ping the collection server from the router, but we can when

we do "extented ping".

2. we do the tracerroute as below.


Protocol [ip]:

Target IP address:

Source address:

Numeric display [n]:

Timeout in seconds [3]:

Probe count [3]:

Minimum Time to Live [1]:

Maximum Time to Live [30]:

Port Number [33434]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Type escape sequence to abort.

Tracing the route to

1 80 msec 76 msec 100 msec

2 80 msec 76 msec 76 msec

3 76 msec 80 msec 76 msec

3. try to add "ip route

It didn't work.

4. We can directly ping from the switch behind the router in the remote


5. checked the both router on IPSec tunnel, there is no blocks.

Please help.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Giuseppe Larosa Wed, 04/29/2009 - 11:28
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Ken,

I may be wrong but I think you are facing a functional limitation of netflow data export.

first of all netflow data flow export packets are locally generated by the node.

The only feature available in some platforms is the following

that is export using SCTP.

you would need a non encrypted path to export netflow data to HQ like using a dedicated link or also an EoMPLS service.

OR there is a need for additional commands to have locally generated packets encrypted.

The doubts are that these netflow export packets can be many and use already resources with clear text exporting.

Hope to help


John Blakley Wed, 04/29/2009 - 11:32
User Badges:
  • Purple, 4500 points or more

Since netflow runs over udp, you may need to add a line to your inspects that allows router generated packets:


ip inspect firewall udp router-traffic timeout 3600



kzhen Wed, 04/29/2009 - 11:46
User Badges:


The network flow works fine. Most likely I have the routing issue so the router is not able to send the NetFlow packets to the collection server in the HQ over the Site to site VPN connectivity.



John Blakley Wed, 04/29/2009 - 11:49
User Badges:
  • Purple, 4500 points or more


NetFlow packets can't send it to the Collection server

I'm a little lost. Netflow will work fine on the local network, but it's having to traverse the interface that you have your crypto map and CBAC config on to send the traffic to your collector. Because of that, the router generated packets don't get inspected without the line that I gave you earlier. This isn't to "fix" netflow, it was to allow the traffic that the router generates to go through the firewall configuration that you have on your dsl interface. Another test you could do is to remove the inspect and see if that works.


kzhen Wed, 04/29/2009 - 11:52
User Badges:


I have removed the inspect and QoS policy on the router, It is no luck.



John Blakley Wed, 04/29/2009 - 12:03
User Badges:
  • Purple, 4500 points or more


It does work through a tunnel as I'm testing it now. And it does work with inspects (and I didn't need to add the line that I gave you).

My current config is:

ip flow-export source bvi1

ip flow-export destination 2455

ip flow-export version 5

What type of router are you doing this on, and what version of the IOS?

Richard Burts Wed, 04/29/2009 - 13:03
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


You are sending the NetFlow records on UDP port 2055. Is there any possibility that this is not the port that your collector is listening on?

I do not see how this could be a routing problem, since the extended traceroute that you do specifies the same source address and the same destination address as your netflow and the traceroute gets to the right place.




This Discussion