10-26-2009 08:23 AM
I have an 881G with a verizon cellular modem with EZVPN in Nework Extension mode. This config is leaking Netflow packets directly out the Cellular interface. I want them to go through my IPSEC tunnel to my internal Netflow collector. Same is happening for NTP. Because these packets have private IP addresses (10.x.x.x) in source field Verizon keeps shutting down the Cellular interface. I've tried natting and ACL's but since these packets are generated by the router, it bypasses these mechanisms.
Does anyone have a workaround for this issue.
Solved! Go to Solution.
10-27-2009 06:49 AM
Did you try associating your NTP and Netflow traffic with a specific interface on your router? Include these interfaces in your encryption domain.
Examples:
ip flow-export source Loopback0
ntp source Loopback0
10-28-2009 09:00 AM
I had not previously tried EZVPN with NEM, so I set up this lab.
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800945cf.shtml
I set up the EZVPN server as an NTP master. The two routers are connected to each other over the same Ethernet segment, 172.16.186.0/24.
I have my NTP source interface set to the loopback on each of the two routers.
It looks like my NTP packets are going through the VPN tunnel.
If you are still having this problem, could you post your configs (sanitized)?
10-28-2009 04:27 PM
10-27-2009 06:49 AM
Did you try associating your NTP and Netflow traffic with a specific interface on your router? Include these interfaces in your encryption domain.
Examples:
ip flow-export source Loopback0
ntp source Loopback0
10-27-2009 06:54 AM
Yes I did. I used loopback1. Which has a 10.x.x.x address, and this is the address that causes Verizon to drop the connection. If I use Cellular0 as my source port which has a public IP. Then verizon stops dropping the connection, but I also don't get neflow data because it still doesn't go down the IPSEc tunnel. I don't get netflow with loopback1 either but again that's because those packets don't go down the tunnel. I also created an ezvpn acl that says all 10.0.0.0 traffic should go down the tunnel, that didn't fix this problem.
10-28-2009 09:00 AM
I had not previously tried EZVPN with NEM, so I set up this lab.
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800945cf.shtml
I set up the EZVPN server as an NTP master. The two routers are connected to each other over the same Ethernet segment, 172.16.186.0/24.
I have my NTP source interface set to the loopback on each of the two routers.
It looks like my NTP packets are going through the VPN tunnel.
If you are still having this problem, could you post your configs (sanitized)?
10-28-2009 11:23 AM
My apologies for not being clearer in an earlier post. I had set the source interface in netflow to loopback1 but I had not set the source interface in sntp.
Once I set the sntp source to loopback1, sntp traffic started traversing the tunnel.
10-28-2009 11:21 AM
I believe (never tried it myself to be honest) that you need a recent IOS release, i.e. 12.4(24)T or later (e.g. 12.4(24)T2 or 15.0(1)M) and even then only Flexible Netflow will work.
Not sure about NTP, this might require a recent IOS as well.
10-28-2009 11:50 AM
NTP is fixed if I use SNTP with the source-interface of loopback1. But netflow continues to fail. I am runnint 12.4.24.t2. I configured flexible Netflow and it causes Verizon to shutdown the cellular interface sooner than old netflow did, it must generate more packets.
Here is my flexible netflow config:
flow exporter Raleigh
destination 10.x.x.x
source Loopback1
flow monitor MMM-1
record netflow-original
exporter Raleigh
int cellular0
ip flow monitor MMM-1 input
int vlan1
ip flow monitor MMM-1 input
10-28-2009 04:23 PM
Strange... did you remove the old config? Is your collector receiving netflow data from the router now?
10-29-2009 05:29 AM
I didn't completely remove the old config. I removed the export line:
ip flow-export destination 10.x.x.x 9995
My collector is not receiving netflow data. It's going directly out the Cellular0 port (not the tunnel). Verizon detects invald source IP (my loopback1 address) and after 20 invalid packets drops the connection.
10-28-2009 04:27 PM
try this:
flow exporter Raleigh
output-features
10-29-2009 06:25 AM
Looks like it's working!!!
My collector is receiving netflow data from the router. Verizon has not dropped my connection in 10 minutes. It was going down every 2 minutes. I've had a TAC case open for two weeks and you solved it in two days. I'll keep testing the connection the rest of the day.
Thanks
Mike
11-02-2009 07:26 AM
Still working. Didn't go down all weekend. Thanks again for everyone's help.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: