cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3453
Views
5
Helpful
11
Replies

Netflow not going through VPN

jasonww04
Level 1
Level 1

Here is my config on a Cisco 1841. The Netflow server is 10.11.1.61 which is behind an ISA firewall. The ISA firewall has been set to allow Netflow traffic from 172.18.32.1 to 10.11.1.61. However, it never sees any traffic even attempting to reach 10.11.1.61 from 172.18.32.1. Is there something missing from my router config?

ip cef

ip flow-cache timeout inactive 10
ip flow-cache timeout active 1

interface FastEthernet0/0
  ip address 172.18.32.1 255.255.255.0
  ip route-cache flow
  ip nat inside

ip flow-export source FastEthernet0/0
ip flow-export version 5
ip flow-export destination 10.11.1.61 9996

ip access-list extended NAT
deny   ip any 10.11.0.0 0.0.255.255
permit ip 172.18.32.0 0.0.0.255 any

ip access-list extended VPN
permit ip 172.18.32.0 0.0.0.255 10.11.0.0 0.0.255.255
permit ip 172.18.32.0 0.0.0.255 10.18.0.0 0.0.0.255
permit ip 172.18.32.0 0.0.0.255 10.15.1.0 0.0.0.255
permit ip 172.20.32.0 0.0.0.255 10.18.0.0 0.0.0.255

1 Accepted Solution

Accepted Solutions

Hi,

Could you add "output-features" under the flow exporter configuration and try again?

Thanks,

Wen

View solution in original post

11 Replies 11

wzhang
Cisco Employee
Cisco Employee

Hi,

So the netflow traffic is supposed to go over the IPSec tunnel before reaching the collector behind the remote tunnel end point? If so, This is a known problem with Netflow and IPSec, you can find more info about this limitation here:http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsk25481. It's been addressed in IOS version 12.4(20)T and later, however you must use flexible netflow (as opposed to legacy netflow) to make it work with the command "output-features" under the "flow exporter" config. Hope this helps.

Thanks,

Wen

So I used the Flexible Netflow config guide to set up Netflow on my router. Still, nothing reaches the appliance on the other end. Am I missing anything?

flow exporter test
destination 10.11.1.61
source Vlan1
output-features
transport udp 9996
export-protocol netflow-v5

interface FastEthernet4
description WAN
ip address dhcp
ip flow monitor Test input

flow monitor Test
record netflow ipv4 original-input

Hi,

Looking at the original post, I guess we can use a little clarification on the problem itself. I assume your vpn is working fine? and if you were to ping the netflow collector from the exporter source interface, that ping would go over the tunnel and also work just fine? Can I also assume flow export works fine without VPN (by looking at flow statistics, debug, etc.), and it's only not working with VPN enabled? When you do have a problem, does the flow export traffic not go out at all, or does it go out in the clear? Also, what version of IOS are you running?

Thanks,

Wen

VPN is working fine.

I can ping the collector from the source interface through the tunnel.

I don't have any collector to send to outside of the VPN. When I run debug, I get the following which makes me think at least the router is trying to send to the flow through the VPN.

Oct 27 11:50:37: IPFLOW: Sending UDP export pak 1098 to 10.11.1.61 port 9996
Oct 27 11:50:49: IPFLOW: Sending UDP export pak 1114 to 10.11.1.61 port 9996
Oct 27 11:51:02: IPFLOW: Sending UDP export pak 1126 to 10.11.1.61 port 9996
Oct 27 11:51:15: IPFLOW: Sending UDP export pak 1151 to 10.11.1.61 port 9996

The statistics also indicate no issues.

Flow export v5 is enabled for main cache
  Export source and destination details :
  VRF ID : Default
    Source(1)       172.18.244.1 (Vlan1)
    Destination(1)  10.11.1.61 (9996)
  Version 5 flow records
  449 flows exported in 29 udp datagrams
  0 flows failed due to lack of export packet
  0 export packets were sent up to process level
  0 export packets were dropped due to no fib
  0 export packets were dropped due to adjacency issues
  0 export packets were dropped due to fragmentation failures
  0 export packets were dropped due to encapsulation fixup failures

IOS is 12.4(24)T3.

Hi,

Can you change your crypto ACL to a host based ACL instead of network, ie., 172.18.244.1->10.11.1.61, and look at the "show crypto ipsec sa" output to see if you are seeing encrypts for that flow? We need to change the ACL so that we can separate the netflow export traffic from other background traffic going into the tunnel. This would at least tell us whether the router is attempting to encrypt the exporter traffic.

Thanks,
Wen

I will try that and let you know the outcome.

Also, the above show and debug output seems to come from a legacy netflow configuration, and not flexible netflow. Were these captured with your new configuration? Note in order to work with crypto, you have to use Flexible Netflow.

Thanks,

Wen

I will change to Flexible Netflow and isolate the traffic through the VPN.

Isolated VPN traffic to just 172.18.244.1 to 10.11.1.61 and set up Flexible Netflow. When I clear crypto isa and crypto sa, show crypto ipsec sa shows 0 packets being encrypted.

If I ping 10.11.1.61 source 172.18.244.1, then I get packets encrypted.

Show flow exporter statistics says I have hundreds of successfully sent packets.

Here is my config:

flow exporter test
destination 10.11.1.61
source Vlan1
transport udp 9996
!
!
flow monitor test
record netflow ipv4 original-input
exporter test

interface FastEthernet4
description WAN
ip address dhcp
ip flow monitor test input

Hi,

Could you add "output-features" under the flow exporter configuration and try again?

Thanks,

Wen

Adding output-features seems to have done the trick. The tunnel comes up automatically since Netflow traffic is actually passing. Now I need to figure out the other end.  Thanks for your help.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: