Summary

With Netflow enabled on an IOS router that also has IPSec configured, there is a known issue where the Netflow export packets to the collector may not get encrypted on the sending IPSec endpoint, even though the flow matches the IPSec encryption policy configured. For example:

RouterB#show crypto session

Crypto session current status

Interface: Ethernet0/0

Profile: test

Session status: UP-ACTIVE    

Peer: 10.1.1.1 port 500

  IKE SA: local 20.1.1.2/500 remote 10.1.1.1/500 Active

  IPSEC FLOW: permit ip 20.1.1.0/255.255.255.0 192.168.1.0/255.255.255.0

        Active SAs: 2, origin: crypto map

The symptom of the problem can be observed on the receiving IPSec endpoint, where messages like this can be observed indicating the received packet is not encrypted but it should be:

RouterA#

*Oct  8 17:42:37.083: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.1.10, src_addr= 20.1.1.2, prot= 17

The problem is a day-one limitation with IOS, where the flow export packets are not subject to the feature processing (eg., IPSec) on the egress interface. This problem is documented with Cisco bug id CSCsk25481 Flexible Netflow export packets not encrypted.

Solution

This limitation has since been addressed in IOS 12.4(20)T and later, although in order for this to work, one must use Flexible Netflow instead of legacy Netflow with the output-features command enabled. Here's an exmple below:

flow exporter test-flow

destination 192.168.1.10

source FastEthernet0/0

output-features

transport udp 9999

!

flow monitor test-flow

record netflow-original

exporter test-flow

!

interface FastEthernet0/0

ip flow monitor test-flow output

Once Flexible Netflow is enabled, one can use show flow exporter statistics and show crypto ipsec sa output to verify Netflow exporter and encryption operations.