10-14-2010 09:17 AM - edited 02-21-2020 04:07 AM
Here is my config on a Cisco 1841. The Netflow server is 10.11.1.61 which is behind an ISA firewall. The ISA firewall has been set to allow Netflow traffic from 172.18.32.1 to 10.11.1.61. However, it never sees any traffic even attempting to reach 10.11.1.61 from 172.18.32.1. Is there something missing from my router config?
ip cef
ip flow-cache timeout inactive 10
ip flow-cache timeout active 1
interface FastEthernet0/0
  ip address 172.18.32.1 255.255.255.0
  ip route-cache flow
  ip nat inside
ip flow-export source FastEthernet0/0
ip flow-export version 5
ip flow-export destination 10.11.1.61 9996
ip access-list extended NAT
 deny   ip any 10.11.0.0 0.0.255.255
 permit ip 172.18.32.0 0.0.0.255 any
ip access-list extended VPN
 permit ip 172.18.32.0 0.0.0.255 10.11.0.0 0.0.255.255
 permit ip 172.18.32.0 0.0.0.255 10.18.0.0 0.0.0.255
 permit ip 172.18.32.0 0.0.0.255 10.15.1.0 0.0.0.255
 permit ip 172.20.32.0 0.0.0.255 10.18.0.0 0.0.0.255
Solved! Go to Solution.
11-01-2010 10:26 AM
Hi,
Could you add "output-features" under the flow exporter configuration and try again?
Thanks,
Wen
10-14-2010 06:49 PM
Hi,
So the netflow traffic is supposed to go over the IPSec tunnel before reaching the collector behind the remote tunnel end point? If so, This is a known problem with Netflow and IPSec, you can find more info about this limitation here:http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsk25481. It's been addressed in IOS version 12.4(20)T and later, however you must use flexible netflow (as opposed to legacy netflow) to make it work with the command "output-features" under the "flow exporter" config. Hope this helps.
Thanks,
Wen
10-27-2010 08:58 AM
So I used the Flexible Netflow config guide to set up Netflow on my router. Still, nothing reaches the appliance on the other end. Am I missing anything?
flow exporter test
 destination 10.11.1.61
 source Vlan1
 output-features
 transport udp 9996
 export-protocol netflow-v5
interface FastEthernet4
 description WAN
 ip address dhcp
 ip flow monitor Test input
flow monitor Test
 record netflow ipv4 original-input
10-27-2010 01:08 PM
Hi,
Looking at the original post, I guess we can use a little clarification on the problem itself. I assume your vpn is working fine? and if you were to ping the netflow collector from the exporter source interface, that ping would go over the tunnel and also work just fine? Can I also assume flow export works fine without VPN (by looking at flow statistics, debug, etc.), and it's only not working with VPN enabled? When you do have a problem, does the flow export traffic not go out at all, or does it go out in the clear? Also, what version of IOS are you running?
Thanks,
Wen
10-27-2010 01:44 PM
VPN is working fine.
I can ping the collector from the source interface through the tunnel.
I don't have any collector to send to outside of the VPN. When I run debug, I get the following which makes me think at least the router is trying to send to the flow through the VPN.
Oct 27 11:50:37: IPFLOW: Sending UDP export pak 1098 to 10.11.1.61 port 9996
Oct 27 11:50:49: IPFLOW: Sending UDP export pak 1114 to 10.11.1.61 port 9996
Oct 27 11:51:02: IPFLOW: Sending UDP export pak 1126 to 10.11.1.61 port 9996
Oct 27 11:51:15: IPFLOW: Sending UDP export pak 1151 to 10.11.1.61 port 9996
The statistics also indicate no issues.
Flow export v5 is enabled for main cache
  Export source and destination details :
  VRF ID : Default
    Source(1)       172.18.244.1 (Vlan1)
    Destination(1)  10.11.1.61 (9996)
  Version 5 flow records
  449 flows exported in 29 udp datagrams
  0 flows failed due to lack of export packet
  0 export packets were sent up to process level
  0 export packets were dropped due to no fib
  0 export packets were dropped due to adjacency issues
  0 export packets were dropped due to fragmentation failures
  0 export packets were dropped due to encapsulation fixup failures
IOS is 12.4(24)T3.
10-29-2010 07:24 AM
Hi,
Can you change your crypto ACL to a host based ACL instead of network, ie., 172.18.244.1->10.11.1.61, and look at the "show crypto ipsec sa" output to see if you are seeing encrypts for that flow? We need to change the ACL so that we can separate the netflow export traffic from other background traffic going into the tunnel. This would at least tell us whether the router is attempting to encrypt the exporter traffic.
Thanks,
Wen 
10-29-2010 01:44 PM
I will try that and let you know the outcome.
10-29-2010 01:58 PM
Also, the above show and debug output seems to come from a legacy netflow configuration, and not flexible netflow. Were these captured with your new configuration? Note in order to work with crypto, you have to use Flexible Netflow.
Thanks,
Wen
11-01-2010 09:49 AM
I will change to Flexible Netflow and isolate the traffic through the VPN.
11-01-2010 10:23 AM
Isolated VPN traffic to just 172.18.244.1 to 10.11.1.61 and set up Flexible Netflow. When I clear crypto isa and crypto sa, show crypto ipsec sa shows 0 packets being encrypted.
If I ping 10.11.1.61 source 172.18.244.1, then I get packets encrypted.
Show flow exporter statistics says I have hundreds of successfully sent packets.
Here is my config:
flow exporter test
 destination 10.11.1.61
 source Vlan1
 transport udp 9996
!
!
flow monitor test
 record netflow ipv4 original-input
 exporter test
interface FastEthernet4
 description WAN
 ip address dhcp
 ip flow monitor test input
11-01-2010 10:26 AM
Hi,
Could you add "output-features" under the flow exporter configuration and try again?
Thanks,
Wen
11-01-2010 11:17 AM
Adding output-features seems to have done the trick. The tunnel comes up automatically since Netflow traffic is actually passing. Now I need to figure out the other end. Thanks for your help.
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide