05-08-2017 04:06 AM - edited 03-08-2019 10:29 AM
Hi all,
I'm no Cisco/network engineer, so I'm going on suspicion and wild speculation here, but I have an issue with an 887VA router I'm working on that is maybe to do which VLAN a router elects as its default?
Basically on my router, I shutdown VLAN1 and create VLAN102.
I setup an IPsec VPN tunnel, sending all VLAN102 (subnet 10.11.102.0/24) traffic over the tunnel to a remote ASA (the hub) and all tests are spot on (hosts can see each other and interact).
If I ping from the router to networks at the hub, all is good.
If I enable netflow on the router (on VLAN102), with the collector being on the hub network, all is good - traffic flows come through perfect.
Now, I add VLAN192 to the router to deal with a legacy network at the spoke (no netflow needed). This traffic should not be included in the VPN traffic, as it's just local stuff (this it isn't included in the VPN ACL).
My problem is that now netflow stops working. No netflow traffic appears to leave the router, despite all the netflow diagnostics looking fine.
I find that if I now ping from the router to a hub network, the pings fail UNLESS I specify which interface to ping from.
So, I am suspecting that my netflow has ceased working due to the same reason? I am guessing that VLAN192 somehow became a 'default' VLAN/interface for the router, so it's trying to send netflow traffic out over this interface. VLAN192 must be interfering in some way anyway.
My netflow setup is along the lines of:
'
ip flow-export destination 10.11.1.226 2055 ip flow-export version 9 ip flow-export source Dialer1 ip flow-cache timeout active 5
interface vlan102 ip flow ingress
ip flow egress
'
I have managed to resolve the issue for now, by using netflow monitor config, but it's still bugging me.
I was hoping someone could shed some light on why the extra VLAN broke the original netflow config, and if there's a simpler solution than using netflow monitors (by somehow globally changing the default VLAN the router uses)?
Thank you!
EJ
05-08-2017 05:09 AM
Are there any routes via VLAN192 (such as a default route, static route, dynamic route) or is it purely just a connected route?
Is this just a simple crypto map based IPSec VPN? Or something else, like VTI, GRE over IPSec, etc?
05-08-2017 05:57 AM
Hi Philip,
Thank you for your response.
The only route configured on the router is:
ip route 0.0.0.0 0.0.0.0 Dialer1
As regards to the crypto map, I would imagine it's your first guess, that it's a straight forward IPSec VPN. A snippet of the relevant config:
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key xxxx address 81.128.123.123
!
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac
mode tunnel
!
!
crypto map VPN-TO-HQ 10 ipsec-isakmp
set peer 81.128.123.123
set transform-set TS
match address VPN-TRAFFIC
Cheers :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide