[nsp] RE: cisco-nsp Digest, Vol 17, Issue 34

Chris Moore - GMD chris.moore at gmd.com
Mon Apr 19 12:22:52 EDT 2004


Thanks again for all the replies, guys.

My workaround on Friday actually did work - routing to another router on the
LAN. It just sees it like any other traffic and passes it (encrypted) no
problem. Now the problem is how to get THAT router to send packets
back.......maybe my collector needs a second IP address that I can route
to....let them cross routers (e.g. Router A sends NetFlow packets to
collector IP X via router B, Router B sends to collector IP Y via ROuter A).

Now I have to go to the Ntop list and find out why nTop is showing 0 flows
recieved in the summary while it is receiving and processing them!

Thanks again,

Chris

-----Original Message-----
Date: Sun, 18 Apr 2004 19:17:43 +0200
From: "Oliver Boehmer \(oboehmer\)" <oboehmer at cisco.com>
Subject: RE: [nsp] RE: NetFlow not exporting? (Now an IPSec Q!)
To: "Chris Moore - GMD" <chris.moore at gmd.com>
Cc: cisco-nsp at puck.nether.net
Message-ID:
	<1705A7CD33EC9D44B19C9E80201C3E2F02A160A4 at xbe-ams-313.cisco.com>
Content-Type: text/plain;	charset="us-ascii"

Hi Chris,

> I did find my problem though. The router was exporting just fine. The
> problem is in the next-hop router. I have IPSec encryption turned on
> on the T1 between them (I'm in the financial industry and encryption
> of private links is required - even if I think it doesn't provide a
> lot of extra security). For some reason unknown the router is not
> encrypting the netflow packets on the way out - even though it
> encrypts all other traffic generated from the router (icmp, snmp,
> telnet, etc.). The next-hop router expects to see encrypted traffic,
> doesn't and in response drops the packets. 
> 
> [...]
> 
> So my questions now are these: 1) why are these packets being treated
> differently from all the other traffic generated by the router? And
> 2)why don't my crypto access-lists get around the problem?

I can only say that Netflow export packets are indeed treated
differently, encrypting (or policy-routing, for this matter) those
packets locally fail (CSCdv74371). There is currently no workaround.

	oli


More information about the cisco-nsp mailing list