Troubleshooting NetFlow over VPN tunnel

I was working with a customer last week who had configured NetFlow on four of their Cisco routers. They had applied basically the same configuration to each of the routers, but only saw exported flows from three of them arrive at the collector.

After doing the usual check of NetFlow configuration, exporter counters, and access lists, I learned that the router in question sends the flows across a VPN tunnel to get to the collector.

Why is exporting NetFlow over VPN tunnel a problem?

There is an issue with Cisco routers when they are encrypting packets for transport over VPN tunnels and exporting NetFlow. When using IPsec tunnels, the packets transferred must have the effect of the output features of the tunnel, namely QoS and encryption. Only if the output features are applied on the packets will they be sent across to the destination over VPN. When it comes to NetFlow, or self-generated NetFlow to be specific, the output features will not take effect on these packets. The NetFlow packets originating from the device where the tunnel has its source will not be encrypted, thus preventing the NetFlow packets from being sent over the VPN tunnel to the destination.

What you end up with is a Cisco router that is properly configured for NetFlow, but none of the NetFlow packets make it to the NetFlow collector.

It is important to understand that this only happens with Cisco routers that are doing both the data encryption and exporting NetFlow. Any NetFlow packets that are forwarded to the Cisco router that is doing the encryption will be properly encrypted and sent over the tunnel without an issue.

Let me re-introduce you to the NetFlow configuration option: output-features.

The solution to exporting NetFlow over a VPN tunnel is to switch to exporting Flexible NetFlow and add output-features to the flow exporter. Using this Flexible NetFlow configuration, the Cisco router will then encrypt the self-generated NetFlow packets and send them properly over the IPsec tunnel.

Below is a basic example of a Flexible NetFlow configuration for a flow exporter on a Cisco router:

flow exporter export-to-scrutinizer
description flexible NF v9
destination 10.1.12.36
source Vlan1
output-features
transport udp 2055
template data timeout 60

Once I added output-features to the customers flow exporter, we immediately saw the packets arrive at the collector.

Enterprises using tools for network monitoring, including bandwidth and traffic analytics, need visibility from all locations.

If you have routers configured for NetFlow and the packets are not arriving at the collector, adding output-features to the exporter may be just what you need. If you’re new to NetFlow or find that you are missing critical data when investigating network issues, I would love to talk to you about best practices for collecting, reporting, and analyzing the traffic traversing your network.