02-19-2009 01:05 PM - edited 02-21-2020 03:18 AM
I have a basic IPSec tunnel between a 1841 (site a) and a non-cisco (site b) router. All appears okay but the only way I can ping site b from the 1841 is to source the private interface. How can I make is so this is permanent? I would like syslog and netflow data to go to a host on site b (originating from the 1841), but it doesn't know where to go.
Thanks
Greg P
02-19-2009 04:20 PM
ip flow-export source F0/1
log source-interface F0/1
where F0/1 is the private interface.
Easy right?
02-20-2009 07:18 AM
well, the logging source-int worked perfect, but Im still not getting netflow data over the VPN.
Any more ideas?
Thanks
Greg
02-20-2009 01:27 PM
Greg
Using commands to specify the source interface for various kinds of traffic is a very good solution. But when it does not work (or a source interface command does not exist for that kind of traffic) there is another alternative.
To understand the alternative first let us be clear how the IPSec VPN works. There is an access list which is used to determine which traffic should be carried through the VPN tunnel. Typically that access list specifies traffic with source addresses from the inside network (and includes the router inside interface). So traffic which is sourced from the outside interface typically does not match and does not go through the tunnel.
So an alternative is to add statements to the access list which will match and permit certain types of traffic which are sourced from the outside interface address (such as your netflow).
HTH
Rick
02-20-2009 06:07 PM
"So an alternative is to add statements to the access list which will match and permit certain types of traffic which are sourced from the outside interface address (such as your netflow)."
You're making it look harder than
necesarry. The previous solution I
suggested work fine. I just tested it
between a Cisco 3640 and a Checkpoint NGx
firewall site-2-site VPN and that the
NetQoS netflow collector sit behind the
Checkpoint NGx firewall. I was able to
source the Netflow from in internal
interface of the 3640.
When things do not work and if the
source-interface option is avaible, one
needs to troubleshoot as to why it is
not working.
my 2c
02-21-2009 09:01 AM
Your 2c is appreciated. Greg stated that he had not gotten the NetFlow to work and asked for other ideas. I gave him another idea, as he requested.
If he were to ask which is the better solution I would agree that setting the source interface is preferable. But that is not what he asked. And I answered the question that he did ask.
HTH
Rick
02-23-2009 06:31 AM
agreed. I was preparing my switch to dump the traffic to my desktop so I could sniff it and establish the culprit. I did find numerous other examples where other users had the same issue. Seems there might be a bug in some versions when netflow is sourced from same router that is also doing non tunnel type VPN. I did not research fully as I learned that my monitor package handled ver 9 netflow so I setup flex netflow instead and it works.
thanks for the help.
Greg
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide