Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

GETVPN and nbar

Hello communtiy,

we are running GETVPN on our branches and the need arose to figure out what traffic is running from branch to main site. So, I thought of enabling nbar and using Manage Engine Netflow Analyzer to graphically represent the traffic. My problem is that the router never gets managed by the netflow analyzer and on the main site I get a message:

%CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /10.130.21.62, src_addr= 192.168.1.250, prot= 17

(where 10.130.21.62 my netflow analyzer and 192.168.1.250 the routers loopback).

I am using "ip flow-export source Loopback0" to export traffic.

So my question is:

Is traffic originating from the router itself not encrypted? Is this what is causing my problem?

I will also try to see what happens if I change the flow-export source to a physical interface...

Any insight on how to solve this problem will be highly appreciated.

Thanks in advance,

Katerina

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: GETVPN and nbar

Hi,

Yes, you'd need to have a CCO login in order to use the bug toolkit, but here is the bug description:

CSCsk25481 Bug Details
Flexible Netflow export packets not encrypted

None
Symptoms:

IOS does not encrypt NetFlow export packets which originate from the router itself. This is day 0
functionality as features are not applied to NetFlow export packets and never have been.

The solution to this does not fix the above for Cisco's older netflow-switch code but rather
provides the ability to encrypt outgoing NetFlow export packets for the newer flexible-netflow
product.

Conditions:

NetFlow or Flexible NetFlow must be configured to do data export for the issue to be seen.

Workaround:

There is no workaround

You don't really need 15.0 code to make this work, anything later than 12.4(20)T should do. What you need is the command "output-features" under the flow exporter configuration. Could you give it a try and let us know if that helps?

Thanks,

Wen

6 REPLIES
Cisco Employee

Re: GETVPN and nbar

Hi,

This is a known problem with Netflow and IPSec, you can find more info about this limitation here: http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsk25481. It's been addressed in IOS version 12.4(20)T and later, and you must use flexible netflow (as opposed to legacy netflow) to make it work. Hope this helps.

Thanks,

Wen

New Member

Re: GETVPN and nbar

Hello Wen and thanks for your reply.

Unfortunately I do not have access to the link you recommended. I will try to use flexible netflow and let you know!

Thanks,

Katerina

New Member

Re: GETVPN and nbar

Hello Wen,

I tried the following config:

flow exporter export-to-NetflowAnalyzer
destination 10.130.21.62
source Loopback0
transport udp 9996
template data timeout 60
!
!
flow monitor flow-monitor
record netflow-original
exporter export-to-NetflowAnalyzer
cache timeout active 60

interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$
ip address 192.168.250.1 255.255.255.0
ip flow monitor flow-monitor input
ip flow monitor flow-monitor output
duplex auto
speed auto

But I seem to get the same error message on the other router:

%CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /10.130.21.62, src_addr= 192.168.1.250, prot= 17

We are running c2801-adventerprisek9-mz.124-24.T3.bin on the routers. I read in the following link "http://www.networkworld.com/community/node/48191" something about upgrading to IOS version 15.

Any comments?

Cisco Employee

Re: GETVPN and nbar

Hi,

Yes, you'd need to have a CCO login in order to use the bug toolkit, but here is the bug description:

CSCsk25481 Bug Details
Flexible Netflow export packets not encrypted

None
Symptoms:

IOS does not encrypt NetFlow export packets which originate from the router itself. This is day 0
functionality as features are not applied to NetFlow export packets and never have been.

The solution to this does not fix the above for Cisco's older netflow-switch code but rather
provides the ability to encrypt outgoing NetFlow export packets for the newer flexible-netflow
product.

Conditions:

NetFlow or Flexible NetFlow must be configured to do data export for the issue to be seen.

Workaround:

There is no workaround

You don't really need 15.0 code to make this work, anything later than 12.4(20)T should do. What you need is the command "output-features" under the flow exporter configuration. Could you give it a try and let us know if that helps?

Thanks,

Wen

New Member

Re: GETVPN and nbar

Hello,

the truth is I tried flexible netflow with encryption and it failed! Without encryption it works wonderfully. I will configure the "output features" command as you suggested and let you know.

Thanks,

Katerina

New Member

Re: GETVPN and nbar

Hello Wen,

The "output-features" command under the "flow exporter" config solved my problem

Many many thanks for your help!

Katerina

644
Views
0
Helpful
6
Replies
CreatePlease login to create content