Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1063
Views
0
Helpful
2
Replies

Netflow not working through firewall over VPN

it
Level 1
Level 1

‎02-12-2011 01:54 PM

I'm trying to gather netflow data from a router at another site that's linked with an IPSEC VPN.

Here's a quick network map:

[Collector]------[HQ 2801 router]------[HQ ASA Firewall]-------VPN---------[Remote 2801 router]

I'm able to collect netflow data from the HQ 2801 but not the ASA firewall (directly connected to HQ 2801 but on a different subnet) or the Remote 2801.

One thing I've noticed is that I can't ping from the command line of the Remote 2801 to any hosts behind the HQ 2801.  Obviously hosts from behind the Remote 2801 can ping the HQ subnet but not from the actual command line.  This makes me think it's a NAT issue but my attempts to confirm or deny this suspicion has only resulted in breaking the VPN connection.

Ideas?  Suggestions?

Thanks!

Labels:
0 Helpful
2 Replies 2

it
Level 1
Level 1

‎02-14-2011 07:40 AM

I made some headway; It turns out my collector (Liveaction from ActionPacked Networks) was too old and didn't understand Netflow version 9.  However I'm still not receiving flow data from the Remote 2801.  I think the problem is NAT related since I'm not able to TFTP or ping the HQ from the Remote 2801.

Suggestions?

0 Helpful

it
Level 1
Level 1

‎02-14-2011 10:45 AM

Apparently I need to enable Flexible Netflow to get the NF data to go over the tunnel.  I found a sample configuration from here:  http://thwack.com/forums/48/orion-family/9/network-performance-monitor/24216/exporting-netflow-over-ipsec-v/

The configuration is as follows:

flow exporter dwtmonitor

destination 10.0.16.172

source Loopback0

transport udp 2055

output-features

flow monitor default-export

record netflow-original

exporter dwtmonitor

ip flow monitor default-export output command under the interface on which crypto is applied :

interface Serial0/0/0:0

description AT&T CID #DHEC 020497

ip flow monitor default-export output

ip flow ingress

ip inspect INBOUND in

crypto map Anchorage

However the "flow exporter " and "flow monitor " commands don't work.  On my 2801 I can configure "flow " but there's no options like "destination".

Perhaps flexible netflow isn't availble for Verision 12.4(25b) Advance IP Services?  Can anyone confirm/deny?

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card