Disabling NetFlow causes DNS to stop working

rrriip001 · ‎08-15-2013

Hello!

I have a 2811 doing dNAT and not much else. I was playing around with NetFlow data exporting, when a very confusing issue arose.

Initially, both interfaces had ip route-cache flow configured, and everything worked fine. Then I switched to ip flow ingress, which AFAIK is the same command on newer IOS releases.

Now, if I turn inbound NetFlow off on LAN interface with no ip flow ingress, all DNS traffic from LAN to WAN stops coming through.

This is very confusing, since cisco command reference describe ip flow commands as commands for collecting data, not actually doing any switching, and ip route-cache flow is called deprecated and substituted by ip flow ingress.

I'd like to disable ingress netflow in favor of egress, but can't do that, since DNS service is of course mandatory. Even if that's not possible, I would very much like to know what's going on.

Any suggestions are greatly appreciated!

The config:

Current configuration : 2231 bytes
!
! Last configuration change at 00:19:29 UTC+4 Thu Aug 15 2013 by ***
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ***
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
aaa session-id common
!
resource policy
!
clock timezone UTC+4 4
ip subnet-zero
!
!
ip cef
!
!
ip flow-cache timeout active 3
!
username *** privilege 15 secret **********************
!
!
!
interface FastEthernet0/0
 description RoSNet
 ip address 217.171.15.*** 255.255.255.240 secondary
 ip address 217.171.15.*** 255.255.255.240
 ip flow ingress
 ip flow egress
 ip nat outside
 duplex auto
 speed auto
 no cdp enable
!
interface FastEthernet0/1
 ip address 192.168.0.1 255.255.255.0
 ip access-group 101 in
 ip flow ingress
 ip flow egress
 ip nat inside
 duplex auto
 speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 217.171.15.***
ip route 192.168.2.0 255.255.255.0 192.168.0.242
ip flow-export version 9
ip flow-export destination 192.168.0.43 9996
!
no ip http server
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.0.129 *** 217.171.15.*** *** extendable
ip nat inside source static tcp 192.168.0.130 *** 217.171.15.*** *** extendable
ip nat inside source static tcp 192.168.0.131 *** 217.171.15.*** *** extendable
ip nat inside source static tcp 192.168.0.134 *** 217.171.15.*** *** extendable
ip nat inside source static tcp 192.168.0.135 *** 217.171.15.*** *** extendable
ip nat inside source static tcp 192.168.0.250 *** 217.171.15.*** *** extendable
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 12 permit 192.168.0.0 0.0.0.255
access-list 12 deny   any
access-list 101 permit ip any any
snmp-server group snmpsec v2c access 12
snmp-server community public RO 12
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
 access-class 12 in
 privilege level 15
 transport input telnet
line vty 5 15
 access-class 12 in
 privilege level 15
 transport input telnet
!
scheduler allocate 20000 1000
ntp clock-period 17180328
ntp server 192.168.0.252
!
end

rrriip001 · ‎08-16-2013

As an update, everything works fine with

no ip cef

...

interface fa0/1

no ip flow ingress

So looks like CEF doesn't work right without ip flow ingress (route-cache flow) on LAN inteface. However, nowhere in the documentation was I able to find anything about CEF depending on inbound ip flow being enabled.

To sum up (all flow config shown for LAN interface):

ip cef & ip flow ingress : good

ip cef & no ip flow ingress : no DNS traffic

no ip cef & no ip flow ingress : good

no ip cef & ip flow ingress : good

Any ideas what's causing the trouble?

Lei Tian · ‎08-16-2013

Hi Va Tu,

That doesnt seem to be right. NetFlow needs CEF to be turn on, but CEF doesnt require NetFlow to be on. Does it only affect DNS traffic when you have CEF on and NetFlow off? What's the IOS version on the router?

HTH,

Lei Tian

rrriip001 · ‎08-16-2013

Thank your for the reply.

It seems to be just DNS, but I can't be sure - no time to test this on a production system. Pings to internet IP's work.

For instance, manually setting 8.8.8.8 DNS on a machine behind the NAT doesn't work, but ping 8.8.8.8 works fine.

Version seems to be one of the older mainline 12.4 releases.


***#sho ver
Cisco IOS Software, 2800 Software (C2800NM-IPBASE-M), Version 12.4(3i), RELEASE
SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Wed 28-Nov-07 21:09 by stshen


ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

I wonder if doing a no ip flow ingress on WAN interface has any adverse effects. Been testing it for a day, found none yet.

If it's just a weird bug of an old IOS release, I guess we'll never know

happydavidli · ‎11-16-2013

hi Va Tu,

I met very similar problem. I'm using a Cisco 2801 with IOS version 12.4, detail as below:

Cisco IOS Software, 2801 Software (C2801-IPBASE-M), Version 12.4(1c), RELEASE SOFTWARE (fc1)

In my case all the PAT clients lost dns when netflow is enabled with CEF.

Hope Cisco expert can help us to figure out what's the problem is.