I'm having problems exporting Netflow data from a Cisco 831 to a Netflow collector that sits on the other side of a VPN tunnel at my central site. Here is portions of the config.
The Netflow collector is addressed as 192.168.0.100 and the Cisco 831 is set to"ip flow-export source Ethernet0", "ip flow-export destination 192.168.0.100 9996" What I'm see is the access-list 101 is blocking the router from sending the data to 192.168.0.100.
Here is the log message on the Cisco 831 (192.168.2.1) when it exports the Netflow data to the collector (192.168.0.100):
000075: *Feb 28 19:27:04.841 PCTime: IPFLOW: Sending export pak to 192.168.0.100 port 9996 0 000076: *Feb 28 19:27:04.843 PCTime: %SEC-6-IPACCESSLOGP: list 101 denied udp 192.168.2.1(0) -> 192.168.0.100(0), 2 packetsOne interesting note is that syslog messages "logging source-interface Ethernet0, logging 192.168.0.100" works great and syslog messages are showing up on the 192.168.0.100 server with no problem. It too uses the same Cisco 831 VPN tunnel to my central site. Is this an IOS bug or I'm I configuring something totally wrong? I've been banging my head on this problem for weeks now... Has anyone seen this problem before? Here is a portion of the config on the Cisco 831 router:
boot system flash c831-k9o3y6-mz.123-8.T8.bin
crypto keyring site2site pre-shared-key address 192.168.1.102 key xxxx ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 ! crypto isakmp client configuration group remote-clients key axaxa pool SDM_POOL_1 acl 104 max-logins 1 crypto isakmp profile site-to-site description Site to site VPN Tunnel profile connection keyring site2site match identity address 192.168.1.102 255.255.255.255 keepalive 60 retry 5 crypto isakmp profile vpnclients description VPN Clients profile connection match identity group remote-clients client authentication list vpnclientauth isakmp authorization list vpngroupauth client configuration address respond ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec fragmentation after-encryption crypto ipsec df-bit clear ! crypto dynamic-map SDM_DYNMAP_1 2 set transform-set ESP-3DES-SHA set isakmp-profile vpnclients reverse-route ! ! crypto map SDM_CMAP_1 1 ipsec-isakmp set peer 192.168.1.102 set transform-set ESP-3DES-SHA set isakmp-profile site-to-site match address 100 crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 ! ! ! interface Null0 no ip unreachables ! interface Ethernet0 description Inside Default Gateway$ES_LAN$$ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-Ethernet
10/100$$FW_INSIDE$ ip address 192.168.2.1 255.255.255.0 ip access-group 102 in no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly ip route-cache flow no cdp enable ! interface Ethernet1 description Outside$ES_WAN$$ETH-WAN$$FW_OUTSIDE$ ip address dhcp client-id Ethernet1 ip access-group 103 in no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip inspect DEFAULT100 out ip ips sdm_ips_rule in ip ips sdm_ips_rule out ip virtual-reassembly ip route-cache flow duplex full no cdp enable crypto map SDM_CMAP_1 !ip classless ip http server ip http authentication local ip http secure-server ip http timeout-policy idle 600 life 86400 requests 10000 ip flow-export source Ethernet0 ip flow-export version 5 ip flow-export destination 192.168.0.100 9996 ip nat inside source route-map SDM_RMAP_1 interface Ethernet1 overload ! ! logging trap debugging logging source-interface Ethernet0 logging 192.168.0.100 access-list 1 remark INSIDE_IF=Ethernet0 access-list 1 remark SDM_ACL Category=2 access-list 1 permit 192.168.2.0 0.0.0.255 log access-list 100 remark SDM_ACL Category=4 access-list 100 remark IPSec Rule access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255 log access-list 101 remark SDM_ACL Category=2 access-list 101 deny ip 192.168.2.0 0.0.0.255 host 192.168.20.1 access-list 101 remark IPSec Rule access-list 101 deny ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255 log access-list 101 permit ip 192.168.2.0 0.0.0.255 any log access-list 102 remark auto generated by SDM firewall configuration access-list 102 remark SDM_ACL Category=1 access-list 102 deny ip host 255.255.255.255 any access-list 102 deny ip 127.0.0.0 0.255.255.255 any access-list 102 permit ip any any access-list 103 remark auto generated by SDM firewall configuration access-list 103 remark SDM_ACL Category=1 access-list 103 permit ip host 192.168.20.1 192.168.2.0 0.0.0.255 access-list 103 remark Auto generated by SDM for NTP (123) 129.6.15.28 access-list 103 permit udp host 129.6.15.28 eq ntp any eq ntp access-list 103 remark Auto generated by SDM for NTP (123) 129.6.15.29 access-list 103 permit udp host 129.6.15.29 eq ntp any eq ntp access-list 103 permit ahp any any access-list 103 permit esp any any access-list 103 permit udp any any eq isakmp access-list 103 permit udp any any eq non500-isakmp access-list 103 remark IPSec Rule access-list 103 permit ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 103 deny ip 192.168.2.0 0.0.0.255 any access-list 103 permit udp any eq bootps any eq bootpc access-list 103 permit icmp any any echo-reply access-list 103 permit icmp any any time-exceeded access-list 103 permit icmp any any unreachable access-list 103 deny ip 10.0.0.0 0.255.255.255 any access-list 103 deny ip 172.16.0.0 0.15.255.255 any access-list 103 deny ip 192.168.0.0 0.0.255.255 any access-list 103 deny ip 127.0.0.0 0.255.255.255 any access-list 103 deny ip host 255.255.255.255 any access-list 103 deny ip any any log access-list 104 remark SDM_ACL Category=4 access-list 104 permit ip 192.168.2.0 0.0.0.255 any no cdp run route-map SDM_RMAP_1 permit 1 match ip address 101 ! end