Showing results for 
Search instead for 
Did you mean: 

IPSec and Netflow Export Interoperability on IOS Routers



With Netflow enabled on an IOS router that also has IPSec configured, there is a known issue where the Netflow export packets to the collector may not get encrypted on the sending IPSec endpoint, even though the flow matches the IPSec encryption policy configured. For example:

RouterB#show crypto session

Crypto session current status

Interface: Ethernet0/0

Profile: test

Session status: UP-ACTIVE    

Peer: port 500

  IKE SA: local remote Active

  IPSEC FLOW: permit ip

        Active SAs: 2, origin: crypto map

RouterB#sh ip flow export
Flow export v1 is enabled for main cache
  Export source and destination details :
  VRF ID : Default
    Source(1) (Ethernet0/0)
    Destination(1) (9999)
  Version 1 flow records
  23 flows exported in 20 udp datagrams

The symptom of the problem can be observed on the receiving IPSec endpoint, where messages like this can be observed indicating the received packet is not encrypted but it should be:


*Oct  8 17:42:37.083: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /, src_addr=, prot= 17

The problem is a day-one limitation with IOS, where the flow export packets are not subject to the feature processing (eg., IPSec) on the egress interface. This problem is documented with Cisco bug id CSCsk25481 Flexible Netflow export packets not encrypted.


This limitation has since been addressed in IOS 12.4(20)T and later, although in order for this to work, one must use Flexible Netflow instead of legacy Netflow with the output-features command enabled. Here's an exmple below:

flow exporter test-flow


source FastEthernet0/0


transport udp 9999


flow monitor test-flow

record netflow-original

exporter test-flow


interface FastEthernet0/0

ip flow monitor test-flow output


Once Flexible Netflow is enabled, one can use show flow exporter statistics and show crypto ipsec sa output to verify Netflow exporter and encryption operations.

Recognize Your Peers
Content for Community-Ad