With Netflow enabled on an IOS router that also has IPSec configured, there is a known issue where the Netflow export packets to the collector may not get encrypted on the sending IPSec endpoint, even though the flow matches the IPSec encryption policy configured. For example:
RouterB#show crypto session
Crypto session current status
Session status: UP-ACTIVE
Peer: 10.1.1.1 port 500
IKE SA: local 126.96.36.199/500 remote 10.1.1.1/500 Active
IPSEC FLOW: permit ip 188.8.131.52/255.255.255.0 192.168.1.0/255.255.255.0
Active SAs: 2, origin: crypto map
RouterB#sh ip flow export
Flow export v1 is enabled for main cache
Export source and destination details :
VRF ID : Default
Source(1) 184.108.40.206 (Ethernet0/0)
Destination(1) 192.168.1.10 (9999)
Version 1 flow records
23 flows exported in 20 udp datagrams
The symptom of the problem can be observed on the receiving IPSec endpoint, where messages like this can be observed indicating the received packet is not encrypted but it should be:
*Oct 8 17:42:37.083: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.1.10, src_addr= 220.127.116.11, prot= 17
The problem is a day-one limitation with IOS, where the flow export packets are not subject to the feature processing (eg., IPSec) on the egress interface. This problem is documented with Cisco bug id CSCsk25481Flexible Netflow export packets not encrypted.
This limitation has since been addressed in IOS 12.4(20)T and later, although in order for this to work, one must use Flexible Netflow instead of legacy Netflow with the output-features command enabled. Here's an exmple below:
flow exporter test-flow
transport udp 9999
flow monitor test-flow
ip flow monitor test-flow output
Once Flexible Netflow is enabled, one can use show flow exporter statistics and show crypto ipsec sa output to verify Netflow exporter and encryption operations.
Hi, I am looking for additional clarification on the error code 3221225506 Access Denied given when AMP detects a file during a scan but can't quarantine it. For example, the files were detected in other Drives like E: F: G: Tha...
Hi,I am in a challenging situation where I need to utilize the 2 interfaces belonging to same network /same vlan. I fully understand that Firepower is not designed for switching purposes but still taking the opportunity to ask here if there is a way ...
Firei,I am trying to activate /license the FP1200 series running ASA software as:1. Go to software.cisco.com and log into your Smart Account.2. Under the Padlock icon, click Smart Software Licensing.3. Go to the Inventory Tab -> General Click the New T...
Hi, How can TC-NAC be configured to scan AnyConnect Endpoints as they join VPN? I'm not getting an internal IP address for the endpoint in the RADIUS Live Logs (only the public IP). I've got TC-NAC scans working on wireless endpoints as t...
We have AnyConnect set up with Certificate validation. When we have the option unchecked (disabled) "Consider the certificate valid if revocation information can not be reached" (forcing the CRL check) our clients are unable to connect and the FMC VPN tro...