Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1650
Views
0
Helpful
3
Replies

Cisco 5510 exporting netflow over a IPSEC VPN

craig.corbett
Level 2
Level 2

‎09-03-2012 06:10 AM - edited ‎03-11-2019 04:49 PM

Hi, we have a local Netflow collector working fine. We also have a centralised collector that we’d like to use to send the same Netflow data, but it is not being received. We need to send the data via an IPSEC VPN.

When I do a 'show flow-export counters' I can see the packets sent increasing. The local collector is receive netflow data. I am using the below config, 

Any pointers of what’s going wrong greatly appreciated.

Thanks.

********************************************************************

access-list global_mpc extended permit ip any any

!

!IP far end of VPN

!

flow-export destination outside 10.xx.10.xxx 2055

!IP local lan

flow-export destination inside 10.xx.20.xxx 2055

!

flow-export template timeout-rate 1

flow-export delay flow-create 20

!

class-map global-class

match access-list global_mpc

!            

policy-map global_policy

!

class global-class

   flow-export event-type all destination 10.xx.10.xxx 10.xx.20.xxx

class class-default

flow-export event-type all destination 10.xx.10.xxx 10.xx.20.xxx

!

Labels:
0 Helpful
3 Replies 3

craig.corbett
Level 2
Level 2

‎09-03-2012 06:16 AM

Cisco Adaptive Security Appliance Software Version 8.2(1)

Device Manager Version 6.2(1)

Hardware:   ASA5510, 1024 MB RAM

0 Helpful

Don Jacob
Level 1
Level 1
In response to craig.corbett

‎10-07-2012 11:07 PM

Is the source interface for NetFlow export the IPSec tunnel? If so, it is a limitation of NetFlow that, when exported over IPSec, self originating NetFlow packets are not exported. The solution is to use Flexible NetFlow (FNF - NetFlow v9) but Cisco ASA currently does not support FNF.

The below link has some details on the bug:

http://blogs.manageengine.com/netflowanalyzer/2011/04/01/netflow-data-export-over-ipsec-tunnels/

Regards,

Don Thomas Jacob

www.netflowanalyzer.com

NOTE: Please rate posts and close questions if you have got your answer.

Regards, Don Thomas Jacob http://www.solarwinds.com/netflow-traffic-analyzer.aspx Head Geek @ SolarWinds NOTE: Please rate and close questions if you found any of the answers helpful.
0 Helpful

craig.corbett
Level 2
Level 2
In response to Don Jacob

‎11-09-2012 04:37 AM

In case anyone else encounters the same issue, turned out we needed to upgrade.

Running Software Version 8.2(5) and all is well.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card