cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
420
Views
0
Helpful
2
Replies

Does the router encrypts packets that generates itself like netflow packets?

g.eleftheriou
Level 1
Level 1

Hi people,

I have a leased line and a crypto map that encrypts all tcp and udp traffic

However on the remote router I get the following error

.Jan 11 12:49:42.628: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC p
acket. (ip) vrf/dest_addr= /B.B.B.B, src_addr= A.A.A.A, prot= 17

where B.B.B.B is the netflow server on remote LAN and A.A.A.A is the LAN (fast0/0) of the 2811 router which is one of the crypto end points

my crypto access-list on both routers is

        Extended IP access list acl_ipsec

            access-list acl_ipsec deny eigrp any any

            access-list acl_ipsec deny icmp any any

            access-list acl_ipsec permit tcp any any

            access-list acl_ipsec permit udp any any

Any ideas why netflow packets do not get encrypted?

2 Replies 2

sean_evershed
Level 7
Level 7

Hi,

Are you sure that the crypto ACLs are reflective on both ends of the tunnel?

It also warns against using any any statements in your crypto ACL.

I suggest making it more specific based on the actual subnets that you want to encrypt.

See below a useful reference:

https://supportforums.cisco.com/docs/DOC-3047

Please rate all posts that are helpful.

access-list is the same on both routers and thus if you notice it's reflective

it's not a routing problem

the acl is only used once

why would they "any any" be a problem?

I have a lots of networks from the hub side and creating too many entries in an access list would create a ton of sa's. So it would not be a good idea.

personally i think it's a bug.

any other suggestions?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: