Community
- Command Central
- MVP Program
- Monthly Mission
- Blogs
- Groups
- Events
- Media Vault
Products
- Observability
- Network Management
- Application Management
- IT Security
- IT Service Management
- System Management
- Database Management
Content Exchange
- SolarWinds Platform
- Server & Application Monitor
- Database Performance Analyzer
- Server Configuration Monitor
- Network Performance Monitor
- Network Configuration Manager
- SQL Sentry
- Web Help Desk
Free Tools & Trials

Netflow Traffic over IP-Sec

I understand from the following post that only Flexible Netflow allows netflow traffic that originates at the router to be encrypted. I have several routers that terminate VPN connections to the data centre where our Orion NTA server is hosted and these routers never update Netflow information. Regarding this I have three questions.

Firstly I have recently set up Netflow on an ASA. This ASA also terminates a VPN to the data centre, however NTA DOES show Netflow information for this device. Why is this?

Secondly All my routers are connected via VPN and ut is only the ones that terminate tunnels directly with the data centre that have problems. If what Cisco say is corret (i.e. Netflow traffic does not get encrypted) how come it works for a router that has a VPN tunnel with an intermidate device a spoke site router that terminates a tunnel with a hub site router that in turn terminates a tunnel with the Data Centre.

Lastly. Is there any news on implemting Flexible Netlow support on Orion NTA? This (I think) would resolve my issues.

I realise I may not have explained this brilliantly but I really appreciate any thoughts / ideas on this.

Find more posts tagged with

Accepted answers

All comments

MarieB

Hi ricey--

I'm marking this for the product manager to review--he likely has some good info for you.

Also, have you seen the NTA FAQ? It has some great NTA info including some info on NTA and Cisco ASA.

HTH,

jswan

Just to be clear: your problem is that you're using traditional (that is, crypto-map based) IPSec configurations on your routers, and the routers aren't exporting NetFlow data at all, correct?

If so, one solution to this is to use IPSec-encrypted GRE tunnels instead of standard crypto-maps on interfaces. The NetFlow export traffic will then go through the tunnel normally.

battinski

I can confirm the previous update, we run MPLS networks with CPE flow exporters within the VRFs however when the VRF finishes we sometimes look to take management traffic out-of-band to make it a little more secure,

Plain or IPSEC encrypted GRE tunnels are perfect for this as they allow normal routing for networks within networks, the issue with a crypto map is the access list required to point interesting traffic over it won't count traffic generated by the router itself wheres GRE tunnels are seeing more as routing end-points and support protocols running over them more freely.

If you need config assistance on IPSEC over GRE I'm sure people will help and post example configs.

ricey

Thanks everyone for your comments on this. The big problem I have is that the peering VPN device (at the data centre where the Orion server runs) is an ASA Firewall. As far as I am aware these do not support GRE tunnels so I have to use the crypto map / ACL tunnels that I am currently using. This is only an issue in a few of my sites as the majority of sites terminate VPN tunnels on a peering ASA and therefore the Netflow traffic from the routers goes via that tunnel and works perfectly well. I guess thre is currently no way to support Netflow on the few routers that I have that have direct tunnels to the ASA at the data centre. So all thats left (I presume) is felxible netflow support for Orion NTA. Is support for that planned at any time in the future?

Thanks again.

singh_bains

Here is Netflow configuration from one of router which is configured with IPsec tunnel. Netflow over IPsec tunnel.

Configured for Netflow exporter

flow exporter NETFLOW1

destination 10.1.x.x

source Vlan1

output-features

transport udp 2055

export-protocol netflow-v5

template data timeout 30

flow monitor NETFLOW1

record netflow-original

exporter NETFLOW1

cache timeout active 30

Interfaces are configured with net flow export and exporter

interface FastEthernet4

description OUTSIDE

ip address x.x.x.x 255.255.255.252

ip flow monitor NETFLOW1 input

ip flow ingress

interface Vlan1

description inside network

ip address 192.16.2.1 255.255.255.0

ip flow monitor NETFLOW1 input

ip flow ingress

Also configured Netflow export

ip flow-export source Vlan1

ip flow-export version 5

ip flow-export destination 10.1.x.x 2055

Commands to check Netflow

sh ip flow export

sh flow exporter

sh flow exporter statistics

when i just configured netflow exporter i could see traffic is not going over tunnel then i enabled netflow export then it start working. u have to enable both. cus export command pull traffic so then expoter send it over tunnel