5 Replies Latest reply on Jun 13, 2012 7:54 PM by singh_bains

    Netflow Traffic over IP-Sec

      I understand from the following post Flexible-Netflow from router on IPSec VPN Tunnel that only Flexible Netflow allows netflow traffic that originates at the router to be encrypted. I have several routers that terminate VPN connections to the data centre where our Orion NTA server is hosted and these routers never update Netflow information. Regarding this I have three questions.

      Firstly I have recently set up Netflow on an ASA. This ASA also terminates a VPN to the data centre, however NTA DOES show Netflow information for this device. Why is this?

      Secondly All my routers are connected via VPN and ut is only the ones that terminate tunnels directly with the data centre that have problems. If what Cisco say is corret (i.e. Netflow traffic does not get encrypted) how come it works for a router that has a VPN tunnel with an intermidate device a spoke site router that terminates a tunnel with a hub site router that in turn terminates a tunnel with the Data Centre.

      Lastly. Is there any news on implemting Flexible Netlow support on Orion NTA? This (I think) would resolve my issues.

      I realise I may not have explained this brilliantly but I really appreciate any thoughts / ideas on this.

        • Re: Netflow Traffic over IP-Sec

          Hi ricey--

          I'm marking this for the product manager to review--he likely has some good info for you.

          Also, have you seen the NTA The specified item was not found.? It has some great NTA info including some info on NTA and Cisco ASA.



          • Re: Netflow Traffic over IP-Sec

            Just to be clear: your problem is that you're using traditional (that is, crypto-map based) IPSec configurations on your routers, and the routers aren't exporting NetFlow data at all, correct?

            If so, one solution to this is to use IPSec-encrypted GRE tunnels instead of standard crypto-maps on interfaces. The NetFlow export traffic will then go through the tunnel normally.

            • Re: Netflow Traffic over IP-Sec

              I can confirm the previous update,   we run MPLS networks with CPE flow exporters within the VRFs however when the VRF finishes we sometimes look to take management traffic out-of-band to make it a little more secure, 

              Plain or IPSEC encrypted GRE tunnels are perfect for this as they allow normal routing for networks within networks,  the issue with a crypto map is the access list required to point interesting traffic over it won't count traffic generated by the router itself wheres GRE tunnels are seeing more as routing end-points and support protocols running over them more freely.

              If you need config assistance on IPSEC over GRE I'm sure people will help and post example configs.

              • Re: Netflow Traffic over IP-Sec

                Thanks everyone for your comments on this. The big problem I have is that the peering VPN device (at the data centre where the Orion server runs) is an ASA Firewall. As far as I am aware these do not support GRE tunnels so I have to use the crypto map / ACL tunnels that I am currently using. This is only an issue in a few of my sites as the majority of sites terminate VPN tunnels on a peering ASA and therefore the Netflow traffic from the routers goes via that tunnel and works perfectly well. I guess thre is currently no way to support Netflow on the few routers that I have that have direct tunnels to the ASA at the data centre. So all thats left (I presume) is felxible netflow support for Orion NTA. Is support for that planned at any time in the future?


                Thanks again.

                • Re: Netflow Traffic over IP-Sec

                  Here is Netflow configuration from one of router which is configured with IPsec tunnel. Netflow over IPsec tunnel.


                  Configured for Netflow exporter


                  flow exporter NETFLOW1

                  destination 10.1.x.x

                  source Vlan1


                  transport udp 2055

                  export-protocol netflow-v5

                  template data timeout 30



                  flow monitor NETFLOW1

                  record netflow-original

                  exporter NETFLOW1

                  cache timeout active 30



                  Interfaces are configured with net flow export and exporter


                  interface FastEthernet4

                  description OUTSIDE

                  ip address x.x.x.x

                  ip flow monitor NETFLOW1 input

                  ip flow ingress



                  interface Vlan1

                  description inside network

                  ip address

                  ip flow monitor NETFLOW1 input

                  ip flow ingress



                  Also configured Netflow export


                  ip flow-export source Vlan1

                  ip flow-export version 5

                  ip flow-export destination 10.1.x.x 2055



                  Commands to check Netflow


                  sh ip flow export


                  sh flow exporter

                  sh flow exporter statistics


                  when i just configured netflow exporter i could see traffic is not going over tunnel then i enabled netflow export then it start working. u have to enable both. cus export command pull traffic so then expoter send it over tunnel