[nsp] RE: NetFlow not exporting? (Now an IPSec Q!)
Oliver Boehmer (oboehmer)
oboehmer at cisco.com
Sun Apr 18 13:17:43 EDT 2004
Hi Chris,
> I did find my problem though. The router was exporting just fine. The
> problem is in the next-hop router. I have IPSec encryption turned on
> on the T1 between them (I'm in the financial industry and encryption
> of private links is required - even if I think it doesn't provide a
> lot of extra security). For some reason unknown the router is not
> encrypting the netflow packets on the way out - even though it
> encrypts all other traffic generated from the router (icmp, snmp,
> telnet, etc.). The next-hop router expects to see encrypted traffic,
> doesn't and in response drops the packets.
>
> [...]
>
> So my questions now are these: 1) why are these packets being treated
> differently from all the other traffic generated by the router? And
> 2)why don't my crypto access-lists get around the problem?
I can only say that Netflow export packets are indeed treated
differently, encrypting (or policy-routing, for this matter) those
packets locally fail (CSCdv74371). There is currently no workaround.
oli
More information about the cisco-nsp
mailing list