Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco 5510 exporting netflow over a IPSEC VPN

Hi, we have a local Netflow collector working fine. We also have a centralised collector that we’d like to use to send the same Netflow data, but it is not being received. We need to send the data via an IPSEC VPN.

When I do a 'show flow-export counters' I can see the packets sent increasing. The local collector is receive netflow data. I am using the below config, 

Any pointers of what’s going wrong greatly appreciated.

Thanks.

********************************************************************

access-list global_mpc extended permit ip any any

!

!IP far end of VPN

!

flow-export destination outside 10.xx.10.xxx 2055

!IP local lan

flow-export destination inside 10.xx.20.xxx 2055

!

flow-export template timeout-rate 1

flow-export delay flow-create 20

!

class-map global-class

match access-list global_mpc

!            

policy-map global_policy

!

class global-class

   flow-export event-type all destination 10.xx.10.xxx 10.xx.20.xxx

class class-default

flow-export event-type all destination 10.xx.10.xxx 10.xx.20.xxx

!

Everyone's tags (6)
3 REPLIES
New Member

Cisco 5510 exporting netflow over a IPSEC VPN

Cisco Adaptive Security Appliance Software Version 8.2(1)

Device Manager Version 6.2(1)

Hardware:   ASA5510, 1024 MB RAM

Bronze

Cisco 5510 exporting netflow over a IPSEC VPN

Is the source interface for NetFlow export the IPSec tunnel? If so, it is a limitation of NetFlow that, when exported over IPSec, self originating NetFlow packets are not exported. The solution is to use Flexible NetFlow (FNF - NetFlow v9) but Cisco ASA currently does not support FNF.

The below link has some details on the bug:

http://blogs.manageengine.com/netflowanalyzer/2011/04/01/netflow-data-export-over-ipsec-tunnels/

Regards,

Don Thomas Jacob

www.netflowanalyzer.com

NOTE: Please rate posts and close questions if you have got your answer.

Regards, Don Thomas Jacob http://www.solarwinds.com/netflow-traffic-analyzer.aspx Head Geek @ SolarWinds NOTE: Please rate and close questions if you found any of the answers helpful.
New Member

Cisco 5510 exporting netflow over a IPSEC VPN

In case anyone else encounters the same issue, turned out we needed to upgrade.

Running Software Version 8.2(5) and all is well.

870
Views
0
Helpful
3
Replies