01-24-2013 08:47 AM - edited 02-21-2020 06:39 PM
Hi,
We've recently migrated some remote sites on to new WAN links, and configured GETVPN on these remote Routers. Connectivity is working as expected, I'm just having issues in getting netflow working correctly. It appears that the spoke router is attempting to send the Netflow data, but when it's hitting the Hub Router, I'm seeing %IPSEC-3-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet within the logs.
Having seem some similar issues flagged, I've modified the Netflow configuration to replicate the below (which now includes the output features command within the flow exporter) but the IPSEC-3-RECVD_PKT_NOT_IPSEC log messages still persist. The ipsec config is currently set so that the Netflow traffic should be encrypted.
flow exporter Test
description Netflow export to Netflow-Server
destination *.*.*.*
source Loopback0
output-features
transport udp 2055
!
flow monitor Test
record netflow-original
exporter Test
Am I missing something within the configuration - Router in question is a Cisco 3845, running 15.1(4)M5
TIA
01-25-2013 09:18 AM
Hi Daniel,
Well know feature - netflow was not supported with ipsec (netflow packets not encrypted even when hitting ipsec policy).
But for flexible netflow it works when you enable "output feature":
https://supportforums.cisco.com/docs/DOC-13452
---
Michal
01-30-2013 12:28 AM
Thanks. From what I understand the config applied above does use Flexible Netflow, but the Router still doesn't seem to be encrypting the Netflow data when it sends it.
Am I missing something within the Netflow configuration?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide