I have a strange issue. I have a VPN between a C3745 and a ASA 5510. The VPN is up and traffic passes through... However, when it come to Netflow, there is a strage behaviour... ASA only receives packets every 2 seconds... The strange thing is that, if I remove the VPN config, traffic flows a lot more... Here is the router config....
sh access-lists NETFLOW_ACL Extended IP access list NETFLOW_ACL 2 permit ip host 10.10.10.3 host 172.16.0.8 (2066 matches) 10 permit ip host 10.10.10.3 172.16.0.0 0.0.255.255 (29742615 match)RPCO1INT1#sh run int loopback 0 Building configuration...Current configuration : 100 bytes ! interface Loopback0 ip address 10.10.10.3 255.255.255.255 endinterface FastEthernet0/0 ip address 220.127.116.11 255.255.255.192 no ip redirects ip flow ingress ip nat inside ip virtual-reassembly load-interval 30 speed 100 full-duplex no cdp enable crypto map NETFLOW_MAP endip route 172.16.0.0 255.255.0.0 18.104.22.168 ip route 172.16.0.8 255.255.255.255 FastEthernet0/0ip flow-export source Loopback0 ip flow-export version 5 ip flow-export destination 172.16.0.8 2055
Also, I noticed this netflow message:
RPCO1INT1#sh ip flow export Flow export v5 is enabled for main cache Exporting flows to 10.160.94.8 (2055) Exporting using source interface Loopback0 Version 5 flow records 1270731035 flows exported in 43918935 udp datagrams 0 flows failed due to lack of export packet 4839235 export packets were sent up to process level 0 export packets were dropped due to no fib 20547097 export packets were dropped due to adjacency issues 0 export packets were dropped due to fragmentation failures 0 export packets were dropped due to encapsulation fixup failures
Adjacency issues... It alwas increase fast while the sent uo to process level increases by 1 every 2 seconds...
This has been addressed in IOS version 12.4(20)T and later, however you must use flexible netflow (as opposed to legacy netflow) to make it work by using the command "output-feature" under the flow exporter configuration. Hope this helps.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...