Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

EZVPN leaking netflow and ntp to ISP

I have an 881G with a verizon cellular modem with EZVPN in Nework Extension mode. This config is leaking Netflow packets directly out the Cellular interface. I want them to go through my IPSEC tunnel to my internal Netflow collector. Same is happening for NTP. Because these packets have private IP addresses (10.x.x.x) in source field Verizon keeps shutting down the Cellular interface. I've tried natting and ACL's but since these packets are generated by the router, it bypasses these mechanisms.

Does anyone have a workaround for this issue.

3 ACCEPTED SOLUTIONS

Accepted Solutions
Silver

Re: EZVPN leaking netflow and ntp to ISP

Did you try associating your NTP and Netflow traffic with a specific interface on your router? Include these interfaces in your encryption domain.

Examples:

ip flow-export source Loopback0

ntp source Loopback0

Silver

Re: EZVPN leaking netflow and ntp to ISP

I had not previously tried EZVPN with NEM, so I set up this lab.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800945cf.shtml

I set up the EZVPN server as an NTP master. The two routers are connected to each other over the same Ethernet segment, 172.16.186.0/24.

I have my NTP source interface set to the loopback on each of the two routers.

It looks like my NTP packets are going through the VPN tunnel.

If you are still having this problem, could you post your configs (sanitized)?

Cisco Employee

Re: EZVPN leaking netflow and ntp to ISP

try this:

flow exporter Raleigh

output-features

11 REPLIES
Silver

Re: EZVPN leaking netflow and ntp to ISP

Did you try associating your NTP and Netflow traffic with a specific interface on your router? Include these interfaces in your encryption domain.

Examples:

ip flow-export source Loopback0

ntp source Loopback0

New Member

Re: EZVPN leaking netflow and ntp to ISP

Yes I did. I used loopback1. Which has a 10.x.x.x address, and this is the address that causes Verizon to drop the connection. If I use Cellular0 as my source port which has a public IP. Then verizon stops dropping the connection, but I also don't get neflow data because it still doesn't go down the IPSEc tunnel. I don't get netflow with loopback1 either but again that's because those packets don't go down the tunnel. I also created an ezvpn acl that says all 10.0.0.0 traffic should go down the tunnel, that didn't fix this problem.

Silver

Re: EZVPN leaking netflow and ntp to ISP

I had not previously tried EZVPN with NEM, so I set up this lab.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800945cf.shtml

I set up the EZVPN server as an NTP master. The two routers are connected to each other over the same Ethernet segment, 172.16.186.0/24.

I have my NTP source interface set to the loopback on each of the two routers.

It looks like my NTP packets are going through the VPN tunnel.

If you are still having this problem, could you post your configs (sanitized)?

New Member

Re: EZVPN leaking netflow and ntp to ISP

My apologies for not being clearer in an earlier post. I had set the source interface in netflow to loopback1 but I had not set the source interface in sntp.

Once I set the sntp source to loopback1, sntp traffic started traversing the tunnel.

Cisco Employee

Re: EZVPN leaking netflow and ntp to ISP

I believe (never tried it myself to be honest) that you need a recent IOS release, i.e. 12.4(24)T or later (e.g. 12.4(24)T2 or 15.0(1)M) and even then only Flexible Netflow will work.

Not sure about NTP, this might require a recent IOS as well.

New Member

Re: EZVPN leaking netflow and ntp to ISP

NTP is fixed if I use SNTP with the source-interface of loopback1. But netflow continues to fail. I am runnint 12.4.24.t2. I configured flexible Netflow and it causes Verizon to shutdown the cellular interface sooner than old netflow did, it must generate more packets.

Here is my flexible netflow config:

flow exporter Raleigh

destination 10.x.x.x

source Loopback1

flow monitor MMM-1

record netflow-original

exporter Raleigh

int cellular0

ip flow monitor MMM-1 input

int vlan1

ip flow monitor MMM-1 input

Cisco Employee

Re: EZVPN leaking netflow and ntp to ISP

Strange... did you remove the old config? Is your collector receiving netflow data from the router now?

New Member

Re: EZVPN leaking netflow and ntp to ISP

I didn't completely remove the old config. I removed the export line:

ip flow-export destination 10.x.x.x 9995

My collector is not receiving netflow data. It's going directly out the Cellular0 port (not the tunnel). Verizon detects invald source IP (my loopback1 address) and after 20 invalid packets drops the connection.

Cisco Employee

Re: EZVPN leaking netflow and ntp to ISP

try this:

flow exporter Raleigh

output-features

New Member

Re: EZVPN leaking netflow and ntp to ISP

Looks like it's working!!!

My collector is receiving netflow data from the router. Verizon has not dropped my connection in 10 minutes. It was going down every 2 minutes. I've had a TAC case open for two weeks and you solved it in two days. I'll keep testing the connection the rest of the day.

Thanks

Mike

New Member

Re: EZVPN leaking netflow and ntp to ISP

Still working. Didn't go down all weekend. Thanks again for everyone's help.

389
Views
15
Helpful
11
Replies