10-06-2010 04:26 AM - edited 02-21-2020 04:53 PM
Hello communtiy,
we are running GETVPN on our branches and the need arose to figure out what traffic is running from branch to main site. So, I thought of enabling nbar and using Manage Engine Netflow Analyzer to graphically represent the traffic. My problem is that the router never gets managed by the netflow analyzer and on the main site I get a message:
%CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /10.130.21.62, src_addr= 192.168.1.250, prot= 17
(where 10.130.21.62 my netflow analyzer and 192.168.1.250 the routers loopback).
I am using "ip flow-export source Loopback0" to export traffic.
So my question is:
Is traffic originating from the router itself not encrypted? Is this what is causing my problem?
I will also try to see what happens if I change the flow-export source to a physical interface...
Any insight on how to solve this problem will be highly appreciated.
Thanks in advance,
Katerina
Solved! Go to Solution.
10-07-2010 05:40 AM
Hi,
Yes, you'd need to have a CCO login in order to use the bug toolkit, but here is the bug description:
You don't really need 15.0 code to make this work, anything later than 12.4(20)T should do. What you need is the command "output-features" under the flow exporter configuration. Could you give it a try and let us know if that helps?
Thanks,
Wen
10-06-2010 06:40 AM
Hi,
This is a known problem with Netflow and IPSec, you can find more info about this limitation here: http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsk25481. It's been addressed in IOS version 12.4(20)T and later, and you must use flexible netflow (as opposed to legacy netflow) to make it work. Hope this helps.
Thanks,
Wen
10-07-2010 02:21 AM
Hello Wen and thanks for your reply.
Unfortunately I do not have access to the link you recommended. I will try to use flexible netflow and let you know!
Thanks,
Katerina
10-07-2010 02:35 AM
Hello Wen,
I tried the following config:
flow exporter export-to-NetflowAnalyzer
destination 10.130.21.62
source Loopback0
transport udp 9996
template data timeout 60
!
!
flow monitor flow-monitor
record netflow-original
exporter export-to-NetflowAnalyzer
cache timeout active 60
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$
ip address 192.168.250.1 255.255.255.0
ip flow monitor flow-monitor input
ip flow monitor flow-monitor output
duplex auto
speed auto
But I seem to get the same error message on the other router:
%CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /10.130.21.62, src_addr= 192.168.1.250, prot= 17
We are running c2801-adventerprisek9-mz.124-24.T3.bin on the routers. I read in the following link "http://www.networkworld.com/community/node/48191" something about upgrading to IOS version 15.
Any comments?
10-07-2010 05:40 AM
Hi,
Yes, you'd need to have a CCO login in order to use the bug toolkit, but here is the bug description:
You don't really need 15.0 code to make this work, anything later than 12.4(20)T should do. What you need is the command "output-features" under the flow exporter configuration. Could you give it a try and let us know if that helps?
Thanks,
Wen
10-07-2010 11:00 PM
Hello,
the truth is I tried flexible netflow with encryption and it failed! Without encryption it works wonderfully. I will configure the "output features" command as you suggested and let you know.
Thanks,
Katerina
10-08-2010 04:07 AM
Hello Wen,
The "output-features" command under the "flow exporter" config solved my problem
Many many thanks for your help!
Katerina
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: