Having issues while trying to export Netflow data over IPSec ?
Here are some quick checks and resolution to our issue.
Consider the following set-ip
Router ---- ip sec tunnel---ASA--- collector
Some common issues we notice are as follows:
1. The collector seems to work fine when connected on the same subnet as that of the router, but not across the ASA.
2. If there is no IP sec involved, the collector seems to obtain data with the exact same configuration, however when we try exporting over IPsec we have issues.
Quick checks to be made before we proceed
1. Is the collector pingable from the router.
2. Does the collector support the version of Netflow we are trying to configure.
Now let’s take this step by step.
1. We might need to configure Flexible Netflow to support the export of data over IPSec . If we have GRE with IPsec then we may be able to use traditional netflow as well, as its resolved by CSCte87809 , however if we have a plain IP sec tunnel we would require to configure FNF as follows.
Here is a sample configuration for FNF
Here are the commands:-
flow exporter FlowExporter1
destination <ip address>
transport udp 9996
flow monitor FlowMonitor1
record netflow ipv4 original-input
cache timeout active 1
int fa 0/0
ip flow monitor FlowMonitor1 input
*Change the source interface, destination, netflow version and trandport udp port as required
I have taken the example as fa 0/0 for the interface
2. Check the version of IOS we are running
CSCsk25481 :- Flexible Netflow export packets not encrypted.
Certain IOS versions which are affected by the above Bug will not export Netflow data over IPSEC, and this scenario is common to both Traditional Netflow and Flexible netflow configuration set-up. The bug has been fixed in the IOS versions 12.4(20)T, 15.0(1)M, 15.1(1)T and onwards in each train.
3. It is very important that we make sure we have the “output-features” command under the FlowExporter1 configurations.
Note:- To enable sending Flexible NetFlow export packets using quality of service (QoS) or encryption, use the output-features command in Flexible NetFlow flow exporter configuration mode. To disable sending export packets using QoS or encryption, use the no form of this command.
If the router has the output feature quality of service (QoS) or encryption configured, the output-features command causes the output features to be run on Flexible NetFlow export packets.
Use the following commands to verify the working of Flexible netflow
show running-config flow monitor
show flow interface type number
show flow monitor name monitor-name cache format record
show flow monitor name monitor-name1 cache format table
show flow exporter exporter-names
how running-config flow exporter exporter-name
(Note:- “show ip flow export” will not show us the relevant data when we have flexible netflow .)
Here is a small flowchart representation, relating Traditional netflow with that of flexible netflow for those who may be comfortable with TNF (Click the image and a larger, clear image will open)
Note: In some versions of Cisco IOS Software the "ip flow ingress" is the equivalent command for "ip route-cache flow."
Hi AllCan anyone tell me what the most popular and best method that people are using for datacentre interconnects?From what I read, the flavour of the month now seems to be vxlan evpn, rather than otv etc.Is this the case?Also, I believe that the evpn pie...
Hi. I would like to start to Cisco Certification. At the beginning I thought to start from CCT. As I see there are 2 directions there.CCT Routing & SwitchingCCT Data Center When I go to CCT Routing & Switching and open https://www.cisco....
Cisco documentation has the following:1.169031 is a 4-byte autonomous system number (this is dot notation for the 234567 decimal number).when I tried to convert 234567 to asdot, I got 3.37959. What have I missed ? thanks !!