cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 8

Flexible-Netflow from router on IPSec VPN Tunnel

Hi all,

I’m trying to collect netflow data from a remote site which only has one Cisco 881 router and is connected to our corporate WAN using an IPSec VPN tunnel. According to Cisco and bug CSCsk25481 it appears as though only the new “Flexible-Netflow” will work over IPSec VPN tunnels when the router that generates the IPSec VPN tunnel is trying to send netflow info, as long as you have IOS version 12.4(17.2)T. I’ve tried to configure this using the commands below but it still doesn’t send any netflow data to our NTA. The router is being monitored by Solarwinds Orion using the Lo0 IP address. The VPN tunnel does go through a firewall but all ports are open for VPN’s for both UDP and TCP.

Here’s what Cisco say…

IOS does not encrypt NetFlow export packets which originate from the router itself. This is day 0
functionality as features are not applied to NetFlow export packets and never have been.

The solution to this does not fix the above for Cisco's older netflow-switch code but rather
provides the ability to encrypt outgoing NetFlow export packets for the newer flexible-netflow
product.

Here’s the config on the router…

flow exporter export-to-DCRAP014
destination 10.254.17.14
source Loopback0
transport udp 9996
!
!
flow monitor flow-monitor
record netflow-original
exporter export-to-DCRAP014

interface FastEthernet4
ip flow monitor flow-monitor input
ip flow monitor flow-monitor output

interface Vlan1
ip address 10.254.41.1 255.255.255.0
ip flow monitor flow-monitor input
ip flow monitor flow-monitor output

Is my config of the router wrong or am I missing something?

wireshark also doesn't pick up any traffic from the remote router on the Orion server so it doesn't look like the router is sending anything.

many thanks
Dave

5 Replies
Level 7

Here is Netflow configuration from one of router which is configured with IPsec tunnel. Netflow over IPsec tunnel.

Configured for Netflow exporter

flow exporter NETFLOW1

destination 10.1.x.x

source Vlan1

output-features

transport udp 2055

export-protocol netflow-v5

template data timeout 30

!

!

flow monitor NETFLOW1

record netflow-original

exporter NETFLOW1

cache timeout active 30

!

Interfaces are configured with net flow export and exporter

interface FastEthernet4

description OUTSIDE

ip address x.x.x.x 255.255.255.252

ip flow monitor NETFLOW1 input

ip flow ingress

!

!

interface Vlan1

description inside network

ip address 192.16.2.1 255.255.255.0

ip flow monitor NETFLOW1 input

ip flow ingress

!

Also configured Netflow export

ip flow-export source Vlan1

ip flow-export version 5

ip flow-export destination 10.1.x.x 2055

Commands to check Netflow

sh ip flow export

sh flow exporter

sh flow exporter statistics

when i just configured netflow exporter i could see traffic is not going over tunnel then i enabled netflow export then it start working. u have to enable both. cus export command pull traffic so then expoter send it over tunnel

0 Kudos
Level 10

I replied to you David in the case, but in case anyone else is wondering about Flexible-Netflow.

At present we do Not Support it.

Flexible NetFlow (FNF) has a lot of abilities that standard flow technologies do not.

The implementation for a NetFlow collector is extremely complicated and at present we have had almost no customers asking for it.

Also I have not seen any other Vendor supporting it in regards to Network Management.

0 Kudos

Would you say that FNF support is on the road map?

0 Kudos

We are examining the technology now. Not on the road map as it's not clear what the uptake of this is/will be and what use cases if fulfills. If y'all have any use cases to share I'm listening.

0 Kudos

I am happily running FNF on an 871 Cisco router doing ezvpn.  I am running IOS 12.4(24)T1 on this box.  Here is the config, the key is to enable 'output-features' on the exporter.

 

flow exporter test
 destination 1.1.1.1 source BVI1
 output-features
 transport udp 2055
 template data timeout 60

 

flow monitor flow-monitor
 record netflow-original
 exporter test
 cache timeout active 60

 

hope it helps. . .

ip flow-export source BVI1

 

interface FastEthernet4
 description $FW_OUTSIDE$
 bandwidth 3000
 ip address dhcp
 no ip unreachables
 no ip proxy-arp
 ip flow monitor flow-monitor input
 ip flow monitor flow-monitor output
 ip nat outside
 ip virtual-reassembly
 load-interval 30
 duplex auto
 speed auto
 crypto ipsec client ezvpn xxxxxx