I have one remote site which has only IPsec VPN connectivity to a central site. The inside LAN subnet is 10.10.5.0/24.
All other traffic from the site works great. But the netflow traffic fails to make it to the central site over the tunnel. Is
there a reason the router itself could not send this traffic through the tunnel? If I do a ping to the netflow collection server
using source address of the interface 10.10.5.1 that succeeds. Any thoughts appreciated.
[10.10.5.1 2811ISR ]---------IPsec----------[ASA 5510 10.10.10.100]---Ethernet---[Collection Server 10.10.10.152]
interface GigabitEthernet1/0.1
encapsulation dot1Q 1 native
ip address 10.10.5.1 255.255.255.0
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
ip flow-cache timeout active 5
ip flow-export source GigabitEthernet1/0.1
ip flow-export version 5
ip flow-export destination 10.10.10.152 2055
ip flow-top-talkers
Tunnel interecting traffic ACL:
access-list 101 permit ip 10.10.5.0 0.0.0.255 10.0.0.0 0.255.255.255
c2811-1#ping
Protocol [ip]:
Target IP address: 10.10.10.152
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.10.5.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.152, timeout is 2 seconds:
Packet sent with a source address of 10.10.5.1
!!!!!