04-29-2009 11:01 AM - edited 03-04-2019 04:35 AM
We have a remote site using site to site VPN connected to headquarter. We want to setup NetFlow on the romote router and send the NetFlow packet back to the collection server in the headquarter, the NetFlow works fine on the remote router, but NetFlow packets can't send it to the Collection server in the Headquarter.
Enclosed are the network diagram and the configuration of the remote router.
We have tried the followings.
1. Can't directly ping the collection server from the router, but we can when
we do "extented ping".
2. we do the tracerroute as below.
1156#traceroute
Protocol [ip]:
Target IP address: 192.168.32.144
Source address: 192.168.204.1
Numeric display [n]:
Timeout in seconds [3]:
Probe count [3]:
Minimum Time to Live [1]:
Maximum Time to Live [30]:
Port Number [33434]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Type escape sequence to abort.
Tracing the route to 192.168.32.144
1 192.168.210.1 80 msec 76 msec 100 msec
2 192.168.210.57 80 msec 76 msec 76 msec
3 192.168.32.144 76 msec 80 msec 76 msec
3. try to add "ip route 192.168.32.144 255.255.255.255 192.168.210.1
It didn't work.
4. We can directly ping from the switch behind the router in the remote
site.
5. checked the both router on IPSec tunnel, there is no blocks.
Please help.
04-29-2009 11:28 AM
Hello Ken,
I may be wrong but I think you are facing a functional limitation of netflow data export.
first of all netflow data flow export packets are locally generated by the node.
The only feature available in some platforms is the following
http://www.cisco.com/en/US/docs/ios/netflow/configuration/guide/nflow_export_sctp.html
that is export using SCTP.
you would need a non encrypted path to export netflow data to HQ like using a dedicated link or also an EoMPLS service.
OR there is a need for additional commands to have locally generated packets encrypted.
The doubts are that these netflow export packets can be many and use already resources with clear text exporting.
Hope to help
Giuseppe
04-29-2009 11:32 AM
Since netflow runs over udp, you may need to add a line to your inspects that allows router generated packets:
Try:
ip inspect firewall udp router-traffic timeout 3600
HTH,
John
04-29-2009 11:46 AM
John,
The network flow works fine. Most likely I have the routing issue so the router is not able to send the NetFlow packets to the collection server in the HQ over the Site to site VPN connectivity.
thanks,
Ken
04-29-2009 11:49 AM
Ken,
NetFlow packets can't send it to the Collection server
I'm a little lost. Netflow will work fine on the local network, but it's having to traverse the interface that you have your crypto map and CBAC config on to send the traffic to your collector. Because of that, the router generated packets don't get inspected without the line that I gave you earlier. This isn't to "fix" netflow, it was to allow the traffic that the router generates to go through the firewall configuration that you have on your dsl interface. Another test you could do is to remove the inspect and see if that works.
John
04-29-2009 11:52 AM
John,
I have removed the inspect and QoS policy on the router, It is no luck.
thanks,
Ken
04-29-2009 12:03 PM
Ken,
It does work through a tunnel as I'm testing it now. And it does work with inspects (and I didn't need to add the line that I gave you).
My current config is:
ip flow-export source bvi1
ip flow-export destination 10.25.5.106 2455
ip flow-export version 5
What type of router are you doing this on, and what version of the IOS?
04-29-2009 01:03 PM
Ken
You are sending the NetFlow records on UDP port 2055. Is there any possibility that this is not the port that your collector is listening on?
I do not see how this could be a routing problem, since the extended traceroute that you do specifies the same source address and the same destination address as your netflow and the traceroute gets to the right place.
HTH
Rick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: