EZVPN leaking netflow and ntp to ISP

Answered Question
Oct 26th, 2009
User Badges:

I have an 881G with a verizon cellular modem with EZVPN in Nework Extension mode. This config is leaking Netflow packets directly out the Cellular interface. I want them to go through my IPSEC tunnel to my internal Netflow collector. Same is happening for NTP. Because these packets have private IP addresses (10.x.x.x) in source field Verizon keeps shutting down the Cellular interface. I've tried natting and ACL's but since these packets are generated by the router, it bypasses these mechanisms.

Does anyone have a workaround for this issue.

Correct Answer by Herbert Baerten about 7 years 5 months ago

try this:


flow exporter Raleigh

output-features


Correct Answer by slmansfield about 7 years 5 months ago

I had not previously tried EZVPN with NEM, so I set up this lab.


http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800945cf.shtml


I set up the EZVPN server as an NTP master. The two routers are connected to each other over the same Ethernet segment, 172.16.186.0/24.


I have my NTP source interface set to the loopback on each of the two routers.


It looks like my NTP packets are going through the VPN tunnel.


If you are still having this problem, could you post your configs (sanitized)?

Correct Answer by slmansfield about 7 years 5 months ago

Did you try associating your NTP and Netflow traffic with a specific interface on your router? Include these interfaces in your encryption domain.


Examples:


ip flow-export source Loopback0

ntp source Loopback0


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.7 (3 ratings)
Loading.
Correct Answer
slmansfield Tue, 10/27/2009 - 06:49
User Badges:
  • Silver, 250 points or more

Did you try associating your NTP and Netflow traffic with a specific interface on your router? Include these interfaces in your encryption domain.


Examples:


ip flow-export source Loopback0

ntp source Loopback0


Mike Iversen Tue, 10/27/2009 - 06:54
User Badges:

Yes I did. I used loopback1. Which has a 10.x.x.x address, and this is the address that causes Verizon to drop the connection. If I use Cellular0 as my source port which has a public IP. Then verizon stops dropping the connection, but I also don't get neflow data because it still doesn't go down the IPSEc tunnel. I don't get netflow with loopback1 either but again that's because those packets don't go down the tunnel. I also created an ezvpn acl that says all 10.0.0.0 traffic should go down the tunnel, that didn't fix this problem.

Correct Answer
slmansfield Wed, 10/28/2009 - 09:00
User Badges:
  • Silver, 250 points or more

I had not previously tried EZVPN with NEM, so I set up this lab.


http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800945cf.shtml


I set up the EZVPN server as an NTP master. The two routers are connected to each other over the same Ethernet segment, 172.16.186.0/24.


I have my NTP source interface set to the loopback on each of the two routers.


It looks like my NTP packets are going through the VPN tunnel.


If you are still having this problem, could you post your configs (sanitized)?

Mike Iversen Wed, 10/28/2009 - 11:23
User Badges:

My apologies for not being clearer in an earlier post. I had set the source interface in netflow to loopback1 but I had not set the source interface in sntp.

Once I set the sntp source to loopback1, sntp traffic started traversing the tunnel.

Herbert Baerten Wed, 10/28/2009 - 11:21
User Badges:
  • Cisco Employee,

I believe (never tried it myself to be honest) that you need a recent IOS release, i.e. 12.4(24)T or later (e.g. 12.4(24)T2 or 15.0(1)M) and even then only Flexible Netflow will work.


Not sure about NTP, this might require a recent IOS as well.

Mike Iversen Wed, 10/28/2009 - 11:50
User Badges:

NTP is fixed if I use SNTP with the source-interface of loopback1. But netflow continues to fail. I am runnint 12.4.24.t2. I configured flexible Netflow and it causes Verizon to shutdown the cellular interface sooner than old netflow did, it must generate more packets.

Here is my flexible netflow config:

flow exporter Raleigh

destination 10.x.x.x

source Loopback1

flow monitor MMM-1

record netflow-original

exporter Raleigh

int cellular0

ip flow monitor MMM-1 input

int vlan1

ip flow monitor MMM-1 input




Herbert Baerten Wed, 10/28/2009 - 16:23
User Badges:
  • Cisco Employee,

Strange... did you remove the old config? Is your collector receiving netflow data from the router now?

Mike Iversen Thu, 10/29/2009 - 05:29
User Badges:

I didn't completely remove the old config. I removed the export line:

ip flow-export destination 10.x.x.x 9995


My collector is not receiving netflow data. It's going directly out the Cellular0 port (not the tunnel). Verizon detects invald source IP (my loopback1 address) and after 20 invalid packets drops the connection.

Correct Answer
Herbert Baerten Wed, 10/28/2009 - 16:27
User Badges:
  • Cisco Employee,

try this:


flow exporter Raleigh

output-features


Mike Iversen Thu, 10/29/2009 - 06:25
User Badges:

Looks like it's working!!!

My collector is receiving netflow data from the router. Verizon has not dropped my connection in 10 minutes. It was going down every 2 minutes. I've had a TAC case open for two weeks and you solved it in two days. I'll keep testing the connection the rest of the day.

Thanks

Mike

Mike Iversen Mon, 11/02/2009 - 07:26
User Badges:

Still working. Didn't go down all weekend. Thanks again for everyone's help.

Actions

This Discussion