Does anybody know how is it

Jeremy Impson · ‎09-16-2014

Summary: when I try to add a Virtual-Template to a Flexible Netflow monitor in IOS-XE 3.10 / 15.3 on an ISR4400, I get the following error:

RTR1(config)#interface Virtual-Template 10
RTR1(config-if)#ip flow monitor UNIT1_ipv4_mon input
% Flow Monitor: Flow Monitor 'UNIT1_ipv4_mon' Virtual Interface Unsupported

This works as expected in IOS 15.3 on a C5940 ESR (mobile access router). Presumably this is a XE issue. Is there another way to do this so I can monitor the traffic of each VPN client using the Virtual-Template?

Details:

The following configuration works on a C5940 ESR with IOS 15.3, which we use to monitor throughput usage of wireless VPN clients:

flow exporter exp1
description Send Netflow to Management Services
destination 10.10.68.3
transport udp 2055
template data timeout 10

flow monitor ipv4_mon
description Monitor Bandwidth
record netflow ipv4 original-input
exporter exp1
cache timeout active 1

interface Virtual-Template10
ip unnumbered GigabitEthernet0/2
ip mtu 1400
ip flow monitor ipv4_mon input
ip tcp adjust-mss 1200
peer default ip address pool l2tp-pool
ppp mtu adaptive
ppp authentication ms-chap ms-chap-v2
ppp ipcp dns 10.10.69.1
ppp timeout idle 1200

I am migrating this configuration to a development lab. I am using an ISR4400 running IOS-XE 03.10.03.S / ISR4400 Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.3(3)S3, RELEASE SOFTWARE (fc1). I am using VRFs to make the ISR act like several instances of the C5940. The equivalent configuration (for a single VRF called UNIT1) should be:

flow exporter UNIT1_exp1
description Send Netflow to Unit1 Management Services
destination 10.1.10.20 vrf UNIT1
transport udp 2055
template data timeout 10

flow monitor UNIT1_ipv4_mon
description Monitor UNIT1 Bandwidth
exporter UNIT1_exp1
cache timeout active 1
record netflow ipv4 original-input

interface Virtual-Template10
description *** Dynamic interfaces for UNIT1 VPN ***
ip vrf forwarding UNIT1
ip unnumbered GigabitEthernet0/0/0.15

ip flow monitor UNIT1_ipv4_mon input
ip mtu 1400
ip tcp adjust-mss 1200
peer default ip address pool l2tp-unit1
ppp mtu adaptive
ppp authentication ms-chap ms-chap-v2
ppp ipcp dns 10.1.10.5
ppp timeout idle 1200
end

But when the the "ip flow monitor..." line is added to the Virtual-Template10 interface, it says "% Flow Monitor: Flow Monitor 'UNIT1_ipv4_mon' Virtual Interface Unsupported". Do I have any options to monitor VPN traffic other than moving to a non-XE router platform?

Jeremy Impson

Jeremy Impson · ‎03-17-2015

Some additional information: Both the original 5940 and new 4451 configurations define a Loopback interface used as the default route for the devices using the VPN provided by the Virtual-Templates. I thought perhaps the unencrypted VPN packets might get accounted for on this interface. On the 4451 I tried adding the flow monitor there, a la:

interface Loopback10

ip address <from l2tp-unit1 IP pool> ...

ip flow monitor ipv4_mon input

The command was accepted, but doesn't seem to work (none of the resulting netflow packets have reports from the L2TP-assigned addresses from the VPN clients).

I can't assign the flow monitor to the real physical interface that the VPN clients use, because it will only see the encrypted traffic, and in particular won't report the ultimate, unencrypted destination IP address.

coobic · ‎09-17-2015

Anyone (community) have an additional info? On 15.4(3)S3 (ASR1000) FNF on VTY doesn`t work also. Traditional netflow is not supported in 15.4. I`m found - CSCsx24985, Netflow on broadband sessions is not supported. But Known Affected Releases: (1) 12.2(33)XNC not 15 train

Pepelatz1986 · ‎11-17-2015

Does anybody know how is it possible to use flexible-netflow on virtual-template interface???

Cannot add Flexible Netflow to a Virtual-Template in IOS XE 3.10 / 15.3