Does the router encrypts packets that generates itself like netflow packets?

g.eleftheriou · ‎01-11-2011

Hi people,

I have a leased line and a crypto map that encrypts all tcp and udp traffic

However on the remote router I get the following error

.Jan 11 12:49:42.628: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC p
acket. (ip) vrf/dest_addr= /B.B.B.B, src_addr= A.A.A.A, prot= 17

where B.B.B.B is the netflow server on remote LAN and A.A.A.A is the LAN (fast0/0) of the 2811 router which is one of the crypto end points

my crypto access-list on both routers is

Extended IP access list acl_ipsec

access-list acl_ipsec deny eigrp any any

access-list acl_ipsec deny icmp any any

access-list acl_ipsec permit tcp any any

access-list acl_ipsec permit udp any any

Any ideas why netflow packets do not get encrypted?

sean_evershed · ‎01-11-2011

Hi,

Are you sure that the crypto ACLs are reflective on both ends of the tunnel?

It also warns against using any any statements in your crypto ACL.

I suggest making it more specific based on the actual subnets that you want to encrypt.

See below a useful reference:

https://supportforums.cisco.com/docs/DOC-3047

Please rate all posts that are helpful.

g.eleftheriou · ‎01-11-2011

access-list is the same on both routers and thus if you notice it's reflective

it's not a routing problem

the acl is only used once

why would they "any any" be a problem?

I have a lots of networks from the hub side and creating too many entries in an access list would create a ton of sa's. So it would not be a good idea.

personally i think it's a bug.

any other suggestions?