topic Re: Netflow not going through VPN in Network Security

Netflow not going through VPN

jasonww04 — Fri, 21 Feb 2020 12:07:05 GMT

Here is my config on a Cisco 1841. The Netflow server is 10.11.1.61 which is behind an ISA firewall. The ISA firewall has been set to allow Netflow traffic from 172.18.32.1 to 10.11.1.61. However, it never sees any traffic even attempting to reach 10.11.1.61 from 172.18.32.1. Is there something missing from my router config?

ip cef

ip flow-cache timeout inactive 10
ip flow-cache timeout active 1

interface FastEthernet0/0
ip address 172.18.32.1 255.255.255.0
ip route-cache flow
ip nat inside

ip flow-export source FastEthernet0/0
ip flow-export version 5
ip flow-export destination 10.11.1.61 9996

ip access-list extended NAT
deny ip any 10.11.0.0 0.0.255.255
permit ip 172.18.32.0 0.0.0.255 any

ip access-list extended VPN
permit ip 172.18.32.0 0.0.0.255 10.11.0.0 0.0.255.255
permit ip 172.18.32.0 0.0.0.255 10.18.0.0 0.0.0.255
permit ip 172.18.32.0 0.0.0.255 10.15.1.0 0.0.0.255
permit ip 172.20.32.0 0.0.0.255 10.18.0.0 0.0.0.255

Re: Netflow not going through VPN

wzhang — Fri, 15 Oct 2010 01:49:44 GMT

Hi,

So the netflow traffic is supposed to go over the IPSec tunnel before reaching the collector behind the remote tunnel end point? If so, This is a known problem with Netflow and IPSec, you can find more info about this limitation here:http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsk25481. It's been addressed in IOS version 12.4(20)T and later, however you must use flexible netflow (as opposed to legacy netflow) to make it work with the command "output-features" under the "flow exporter" config. Hope this helps.

Thanks,

Wen

Re: Netflow not going through VPN

jasonww04 — Wed, 27 Oct 2010 15:58:03 GMT

So I used the Flexible Netflow config guide to set up Netflow on my router. Still, nothing reaches the appliance on the other end. Am I missing anything?

flow exporter test
destination 10.11.1.61
source Vlan1
output-features
transport udp 9996
export-protocol netflow-v5

interface FastEthernet4
description WAN
ip address dhcp
ip flow monitor Test input

flow monitor Test
record netflow ipv4 original-input

Re: Netflow not going through VPN

wzhang — Wed, 27 Oct 2010 20:08:41 GMT

Hi,

Looking at the original post, I guess we can use a little clarification on the problem itself. I assume your vpn is working fine? and if you were to ping the netflow collector from the exporter source interface, that ping would go over the tunnel and also work just fine? Can I also assume flow export works fine without VPN (by looking at flow statistics, debug, etc.), and it's only not working with VPN enabled? When you do have a problem, does the flow export traffic not go out at all, or does it go out in the clear? Also, what version of IOS are you running?

Thanks,

Wen

Re: Netflow not going through VPN

jasonww04 — Wed, 27 Oct 2010 20:44:01 GMT

VPN is working fine.

I can ping the collector from the source interface through the tunnel.

I don't have any collector to send to outside of the VPN. When I run debug, I get the following which makes me think at least the router is trying to send to the flow through the VPN.

Oct 27 11:50:37: IPFLOW: Sending UDP export pak 1098 to 10.11.1.61 port 9996
Oct 27 11:50:49: IPFLOW: Sending UDP export pak 1114 to 10.11.1.61 port 9996
Oct 27 11:51:02: IPFLOW: Sending UDP export pak 1126 to 10.11.1.61 port 9996
Oct 27 11:51:15: IPFLOW: Sending UDP export pak 1151 to 10.11.1.61 port 9996

The statistics also indicate no issues.

Flow export v5 is enabled for main cache
Export source and destination details :
VRF ID : Default
Source(1) 172.18.244.1 (Vlan1)
Destination(1) 10.11.1.61 (9996)
Version 5 flow records
449 flows exported in 29 udp datagrams
0 flows failed due to lack of export packet
0 export packets were sent up to process level
0 export packets were dropped due to no fib
0 export packets were dropped due to adjacency issues
0 export packets were dropped due to fragmentation failures
0 export packets were dropped due to encapsulation fixup failures

IOS is 12.4(24)T3.

Re: Netflow not going through VPN

wzhang — Fri, 29 Oct 2010 14:24:40 GMT

Hi,

Can you change your crypto ACL to a host based ACL instead of network, ie., 172.18.244.1->10.11.1.61, and look at the "show crypto ipsec sa" output to see if you are seeing encrypts for that flow? We need to change the ACL so that we can separate the netflow export traffic from other background traffic going into the tunnel. This would at least tell us whether the router is attempting to encrypt the exporter traffic.

Thanks,
Wen

Re: Netflow not going through VPN

jasonww04 — Fri, 29 Oct 2010 20:44:18 GMT

I will try that and let you know the outcome.

Re: Netflow not going through VPN

wzhang — Fri, 29 Oct 2010 20:58:52 GMT

Also, the above show and debug output seems to come from a legacy netflow configuration, and not flexible netflow. Were these captured with your new configuration? Note in order to work with crypto, you have to use Flexible Netflow.

Thanks,

Wen

Re: Netflow not going through VPN

jasonww04 — Mon, 01 Nov 2010 16:49:48 GMT

I will change to Flexible Netflow and isolate the traffic through the VPN.

Re: Netflow not going through VPN

jasonww04 — Mon, 01 Nov 2010 17:23:25 GMT

Isolated VPN traffic to just 172.18.244.1 to 10.11.1.61 and set up Flexible Netflow. When I clear crypto isa and crypto sa, show crypto ipsec sa shows 0 packets being encrypted.

If I ping 10.11.1.61 source 172.18.244.1, then I get packets encrypted.

Show flow exporter statistics says I have hundreds of successfully sent packets.

Here is my config:

flow exporter test
destination 10.11.1.61
source Vlan1
transport udp 9996
!
!
flow monitor test
record netflow ipv4 original-input
exporter test

interface FastEthernet4
description WAN
ip address dhcp
ip flow monitor test input

Re: Netflow not going through VPN

wzhang — Mon, 01 Nov 2010 17:26:28 GMT

Hi,

Could you add "output-features" under the flow exporter configuration and try again?

Thanks,

Wen

Re: Netflow not going through VPN

jasonww04 — Mon, 01 Nov 2010 18:17:22 GMT

Adding output-features seems to have done the trick. The tunnel comes up automatically since Netflow traffic is actually passing. Now I need to figure out the other end. Thanks for your help.