[nsp] RE: NetFlow not exporting? (Now an IPSec Q!)

Chris Moore - GMD chris.moore at gmd.com
Fri Apr 16 23:11:03 EDT 2004


Thanks for all the replies guys. I accidently replied to one off list, so
now I'll reply on-list to everyone.

First, the "IP flow ingress" command actually came from a sample config I
got from a vendor who's collector software I was demoing. Removing it seemed
to have no effect.

I did find my problem though. The router was exporting just fine. The
problem is in the next-hop router. I have IPSec encryption turned on on the
T1 between them (I'm in the financial industry and encryption of private
links is required - even if I think it doesn't provide a lot of extra
security). For some reason unknown the router is not encrypting the netflow
packets on the way out - even though it encrypts all other traffic generated
from the router (icmp, snmp, telnet, etc.). The next-hop router expects to
see encrypted traffic, doesn't and in response drops the packets.

So I'm left with a bit of a puzzle. I know the problem now but not the
resolution. First, I can't figure out why every other type of traffic
generated from the router works just fine, while NetFlow does not. Secondly,
I tried to modify the crypto access-lists and that didn't work either. For
those that don't know, the crypto is controlled by ACLs (I'm self-taught so
please tell me if I've got this wrong!). Deny statements tell the router to
not encrypt those packets, or not to expect them encrypted from the other
end. Permit statements cause it to encrypt or expect those packets to be
encrypted. To start out with my crypto ACLs on both end looked like this:

access-list 101 deny ospf any any
access-list 101 permit ip any any

This causes everything except OSPF to be encrypted - IPSec does not handle
multicast so I turned it off for OSPF to allow it to talk across the link.

So I figured that I only really need to encrypt customer data, not network
workings, so I thought I'd just insert the following before the "permit any
any" statement on both routers:

access-list 101 deny udp host 172.17.1.6 host 10.12.23.201

Unfortunately, that didn't fix it. The next-hop router still says it's
expecting those packets to be encrypted, but is seeing them unencrypted and
dropping the packets.

The last thing I tried at the end of the day was putting in a static route
to the collector by way of the NetFlow router's neighbor. I figured that
it'd send the packets across the unencrypted LAN, where the next router
would encrypt them like any other traffic and pass them across to the
collector's LAN. The collector is STILL not seeing the flows come in but I
have not investigated where that goes wrong.

So my questions now are these: 1) why are these packets being treated
differently from all the other traffic generated by the router? And 2)why
don't my crypto access-lists get around the problem?

Thanks again,

Chris


More information about the cisco-nsp mailing list