This works as expected in IOS 15.3 on a C5940 ESR (mobile access router). Presumably this is a XE issue. Is there another way to do this so I can monitor the traffic of each VPN client using the Virtual-Template?
The following configuration works on a C5940 ESR with IOS 15.3, which we use to monitor throughput usage of wireless VPN clients:
flow exporter exp1 description Send Netflow to Management Services destination 10.10.68.3 transport udp 2055 template data timeout 10
flow monitor ipv4_mon description Monitor Bandwidth record netflow ipv4 original-input exporter exp1 cache timeout active 1
interface Virtual-Template10 ip unnumbered GigabitEthernet0/2 ip mtu 1400 ip flow monitor ipv4_mon input ip tcp adjust-mss 1200 peer default ip address pool l2tp-pool ppp mtu adaptive ppp authentication ms-chap ms-chap-v2 ppp ipcp dns 10.10.69.1 ppp timeout idle 1200
I am migrating this configuration to a development lab. I am using an ISR4400 running IOS-XE 03.10.03.S / ISR4400 Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.3(3)S3, RELEASE SOFTWARE (fc1). I am using VRFs to make the ISR act like several instances of the C5940. The equivalent configuration (for a single VRF called UNIT1) should be:
flow exporter UNIT1_exp1 description Send Netflow to Unit1 Management Services destination 10.1.10.20 vrf UNIT1 transport udp 2055 template data timeout 10
flow monitor UNIT1_ipv4_mon description Monitor UNIT1 Bandwidth exporter UNIT1_exp1 cache timeout active 1 record netflow ipv4 original-input
interface Virtual-Template10 description *** Dynamic interfaces for UNIT1 VPN *** ip vrf forwarding UNIT1 ip unnumbered GigabitEthernet0/0/0.15
ip flow monitor UNIT1_ipv4_mon input ip mtu 1400 ip tcp adjust-mss 1200 peer default ip address pool l2tp-unit1 ppp mtu adaptive ppp authentication ms-chap ms-chap-v2 ppp ipcp dns 10.1.10.5 ppp timeout idle 1200 end
But when the the "ip flow monitor..." line is added to the Virtual-Template10 interface, it says "% Flow Monitor: Flow Monitor 'UNIT1_ipv4_mon' Virtual Interface Unsupported". Do I have any options to monitor VPN traffic other than moving to a non-XE router platform?
Some additional information: Both the original 5940 and new 4451 configurations define a Loopback interface used as the default route for the devices using the VPN provided by the Virtual-Templates. I thought perhaps the unencrypted VPN packets might get accounted for on this interface. On the 4451 I tried adding the flow monitor there, a la:
ip address <from l2tp-unit1 IP pool> ...
ip flow monitor ipv4_mon input
The command was accepted, but doesn't seem to work (none of the resulting netflow packets have reports from the L2TP-assigned addresses from the VPN clients).
I can't assign the flow monitor to the real physical interface that the VPN clients use, because it will only see the encrypted traffic, and in particular won't report the ultimate, unencrypted destination IP address.
Anyone (community) have an additional info?
On 15.4(3)S3 (ASR1000) FNF on VTY doesn`t work also.
Traditional netflow is not supported in 15.4.
I`m found - CSCsx24985, Netflow on broadband sessions is not supported.
But Known Affected Releases: (1) 12.2(33)XNC not 15 train
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...