GETVPN Group Member and Netflow

Daniel Anderson · ‎01-24-2013

Hi,

We've recently migrated some remote sites on to new WAN links, and configured GETVPN on these remote Routers. Connectivity is working as expected, I'm just having issues in getting netflow working correctly. It appears that the spoke router is attempting to send the Netflow data, but when it's hitting the Hub Router, I'm seeing %IPSEC-3-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet within the logs.

Having seem some similar issues flagged, I've modified the Netflow configuration to replicate the below (which now includes the output features command within the flow exporter) but the IPSEC-3-RECVD_PKT_NOT_IPSEC log messages still persist. The ipsec config is currently set so that the Netflow traffic should be encrypted.

flow exporter Test

description Netflow export to Netflow-Server

destination *.*.*.*

source Loopback0

output-features

transport udp 2055

!

flow monitor Test

record netflow-original

exporter Test

Am I missing something within the configuration - Router in question is a Cisco 3845, running 15.1(4)M5

TIA

Michal Garcarz · ‎01-25-2013

Hi Daniel,

Well know feature - netflow was not supported with ipsec (netflow packets not encrypted even when hitting ipsec policy).

But for flexible netflow it works when you enable "output feature":

https://supportforums.cisco.com/docs/DOC-13452

---

Michal

Daniel Anderson · ‎01-30-2013

Thanks. From what I understand the config applied above does use Flexible Netflow, but the Router still doesn't seem to be encrypting the Netflow data when it sends it.

Am I missing something within the Netflow configuration?