Solved: EZVPN leaking netflow and ntp to ISP

Mike Iversen · ‎10-26-2009

I have an 881G with a verizon cellular modem with EZVPN in Nework Extension mode. This config is leaking Netflow packets directly out the Cellular interface. I want them to go through my IPSEC tunnel to my internal Netflow collector. Same is happening for NTP. Because these packets have private IP addresses (10.x.x.x) in source field Verizon keeps shutting down the Cellular interface. I've tried natting and ACL's but since these packets are generated by the router, it bypasses these mechanisms.

Does anyone have a workaround for this issue.

slmansfield · ‎10-27-2009

Did you try associating your NTP and Netflow traffic with a specific interface on your router? Include these interfaces in your encryption domain.

Examples:

ip flow-export source Loopback0

ntp source Loopback0

View solution in original post

slmansfield · ‎10-28-2009

I had not previously tried EZVPN with NEM, so I set up this lab.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800945cf.shtml

I set up the EZVPN server as an NTP master. The two routers are connected to each other over the same Ethernet segment, 172.16.186.0/24.

I have my NTP source interface set to the loopback on each of the two routers.

It looks like my NTP packets are going through the VPN tunnel.

If you are still having this problem, could you post your configs (sanitized)?

View solution in original post

Herbert Baerten · ‎10-28-2009

try this:

flow exporter Raleigh

output-features

View solution in original post

slmansfield · ‎10-27-2009

Did you try associating your NTP and Netflow traffic with a specific interface on your router? Include these interfaces in your encryption domain.

Examples:

ip flow-export source Loopback0

ntp source Loopback0

Mike Iversen · ‎10-27-2009

Yes I did. I used loopback1. Which has a 10.x.x.x address, and this is the address that causes Verizon to drop the connection. If I use Cellular0 as my source port which has a public IP. Then verizon stops dropping the connection, but I also don't get neflow data because it still doesn't go down the IPSEc tunnel. I don't get netflow with loopback1 either but again that's because those packets don't go down the tunnel. I also created an ezvpn acl that says all 10.0.0.0 traffic should go down the tunnel, that didn't fix this problem.

slmansfield · ‎10-28-2009

I had not previously tried EZVPN with NEM, so I set up this lab.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800945cf.shtml

I set up the EZVPN server as an NTP master. The two routers are connected to each other over the same Ethernet segment, 172.16.186.0/24.

I have my NTP source interface set to the loopback on each of the two routers.

It looks like my NTP packets are going through the VPN tunnel.

If you are still having this problem, could you post your configs (sanitized)?

Mike Iversen · ‎10-28-2009

My apologies for not being clearer in an earlier post. I had set the source interface in netflow to loopback1 but I had not set the source interface in sntp.

Once I set the sntp source to loopback1, sntp traffic started traversing the tunnel.

Herbert Baerten · ‎10-28-2009

I believe (never tried it myself to be honest) that you need a recent IOS release, i.e. 12.4(24)T or later (e.g. 12.4(24)T2 or 15.0(1)M) and even then only Flexible Netflow will work.

Not sure about NTP, this might require a recent IOS as well.

Mike Iversen · ‎10-28-2009

NTP is fixed if I use SNTP with the source-interface of loopback1. But netflow continues to fail. I am runnint 12.4.24.t2. I configured flexible Netflow and it causes Verizon to shutdown the cellular interface sooner than old netflow did, it must generate more packets.

Here is my flexible netflow config:

flow exporter Raleigh

destination 10.x.x.x

source Loopback1

flow monitor MMM-1

record netflow-original

exporter Raleigh

int cellular0

ip flow monitor MMM-1 input

int vlan1

ip flow monitor MMM-1 input

Herbert Baerten · ‎10-28-2009

Strange... did you remove the old config? Is your collector receiving netflow data from the router now?

Mike Iversen · ‎10-29-2009

I didn't completely remove the old config. I removed the export line:

ip flow-export destination 10.x.x.x 9995

My collector is not receiving netflow data. It's going directly out the Cellular0 port (not the tunnel). Verizon detects invald source IP (my loopback1 address) and after 20 invalid packets drops the connection.

Herbert Baerten · ‎10-28-2009

try this:

flow exporter Raleigh

output-features

Mike Iversen · ‎10-29-2009

Looks like it's working!!!

My collector is receiving netflow data from the router. Verizon has not dropped my connection in 10 minutes. It was going down every 2 minutes. I've had a TAC case open for two weeks and you solved it in two days. I'll keep testing the connection the rest of the day.

Thanks

Mike

Mike Iversen · ‎11-02-2009

Still working. Didn't go down all weekend. Thanks again for everyone's help.