NetFlow and host unreachable

Unanswered Question
Apr 29th, 2009

We have a remote site using site to site VPN connected to headquarter. We want to setup NetFlow on the romote router and send the NetFlow packet back to the collection server in the headquarter, the NetFlow works fine on the remote router, but NetFlow packets can't send it to the Collection server in the Headquarter.

Enclosed are the network diagram and the configuration of the remote router.

We have tried the followings.

1. Can't directly ping the collection server from the router, but we can when

we do "extented ping".

2. we do the tracerroute as below.

1156#traceroute

Protocol [ip]:

Target IP address: 192.168.32.144

Source address: 192.168.204.1

Numeric display [n]:

Timeout in seconds [3]:

Probe count [3]:

Minimum Time to Live [1]:

Maximum Time to Live [30]:

Port Number [33434]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Type escape sequence to abort.

Tracing the route to 192.168.32.144

1 192.168.210.1 80 msec 76 msec 100 msec

2 192.168.210.57 80 msec 76 msec 76 msec

3 192.168.32.144 76 msec 80 msec 76 msec

3. try to add "ip route 192.168.32.144 255.255.255.255 192.168.210.1

It didn't work.

4. We can directly ping from the switch behind the router in the remote

site.

5. checked the both router on IPSec tunnel, there is no blocks.

Please help.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Wed, 04/29/2009 - 11:28

Hello Ken,

I may be wrong but I think you are facing a functional limitation of netflow data export.

first of all netflow data flow export packets are locally generated by the node.

The only feature available in some platforms is the following

http://www.cisco.com/en/US/docs/ios/netflow/configuration/guide/nflow_export_sctp.html

that is export using SCTP.

you would need a non encrypted path to export netflow data to HQ like using a dedicated link or also an EoMPLS service.

OR there is a need for additional commands to have locally generated packets encrypted.

The doubts are that these netflow export packets can be many and use already resources with clear text exporting.

Hope to help

Giuseppe

John Blakley Wed, 04/29/2009 - 11:32

Since netflow runs over udp, you may need to add a line to your inspects that allows router generated packets:

Try:

ip inspect firewall udp router-traffic timeout 3600

HTH,

John

kzhen Wed, 04/29/2009 - 11:46

John,

The network flow works fine. Most likely I have the routing issue so the router is not able to send the NetFlow packets to the collection server in the HQ over the Site to site VPN connectivity.

thanks,

Ken

John Blakley Wed, 04/29/2009 - 11:49

Ken,

NetFlow packets can't send it to the Collection server

I'm a little lost. Netflow will work fine on the local network, but it's having to traverse the interface that you have your crypto map and CBAC config on to send the traffic to your collector. Because of that, the router generated packets don't get inspected without the line that I gave you earlier. This isn't to "fix" netflow, it was to allow the traffic that the router generates to go through the firewall configuration that you have on your dsl interface. Another test you could do is to remove the inspect and see if that works.

John

kzhen Wed, 04/29/2009 - 11:52

John,

I have removed the inspect and QoS policy on the router, It is no luck.

thanks,

Ken

John Blakley Wed, 04/29/2009 - 12:03

Ken,

It does work through a tunnel as I'm testing it now. And it does work with inspects (and I didn't need to add the line that I gave you).

My current config is:

ip flow-export source bvi1

ip flow-export destination 10.25.5.106 2455

ip flow-export version 5

What type of router are you doing this on, and what version of the IOS?

Richard Burts Wed, 04/29/2009 - 13:03

Ken

You are sending the NetFlow records on UDP port 2055. Is there any possibility that this is not the port that your collector is listening on?

I do not see how this could be a routing problem, since the extended traceroute that you do specifies the same source address and the same destination address as your netflow and the traceroute gets to the right place.

HTH

Rick

Actions

This Discussion