[c-nsp] Re: Transit ESP packets not shown in Netflow export
Bulgaria Online - Assen Totin
assen at online.bg
Fri Nov 25 06:26:27 EST 2005
Hi,
Thanks to all who responded.
OBo> Did you wait long enough until the active timeout (30 mins by default)
OBo> fires and the flows are actually aged out and exported? Since there will
OBo> likely be constant traffic within the crypto tunnel, the flow will
OBo> likely never become "inactive", so Netflow will only export it every 30
OBo> minutes..
Yes, I started looking for the problem more than 24 hours after
traffic started to flow. Besides, since I use the data for real-time
visualisation purposes with 1-minute samples, I have the following
settings:
ip flow-cache timeout active 1
ip flow-cache timeout inctive 60
So ageing should not be an issue at all.
RD> What tool are you using to receive the NetFlow Data Export (NDE) and
RD> process it? Is it possible that your NetFlow analysis tool isn't set
RD> up to view non-TCP/-UDP/-ICMP protocols such as ESP?
For testing whether the export is made or now, I'm using a very simple
C listener that basically opens and UDP port, captures all exported
packets, extracts only ipSrc, ipDst, size and tos and writes them down
into a text file. After a 5-minute dump no sign of the VPN traffic at
all; however, some non-VPN traffic from/to the customer (e.g.: icmp)
was clearly visible in the exports.
You can get the sample source here:
http://bilbo.online.bg/~assen/nf_collect.c
Best regards,
Assen Totin
Development Manager
===============================
BULGARIA ONLINE
Your quality... Your price!
===============================
tel. (+359 2) 973-3000 ext. 511
http://home.online.bg
More information about the cisco-nsp
mailing list