Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

ASA filtering traffic through VPN

Posted on 2009-04-03
3
Medium Priority
?
226 Views
Last Modified: 2012-05-06
Have any of you come across instances of an ASA grabbing sflow data coming across VPNs and blocking it/doing funny things to it?

I am trying to get data from one of my site offices off an HP Switch there and it just isnt coming through to my monitoring server. The Cryptos are all IP ANY ANY in both directions, so there is no reason why it should be stopped.

I can get all the SNMP data from the switch and the ASA fine, it is just the Sflow  which I am not getting.

Anyone??
0
Comment
Question by:fahim
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 7

Expert Comment

by:egyptco
ID: 24062916
do you have "sysopt connection permit-ipsec" in your asa config?
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 800 total points
ID: 24067060
What port are you exporting the sflow on? If that port matches a well known service that the inspects look at then yes, the asa could be doing funny things with it
0
 
LVL 32

Accepted Solution

by:
harbor235 earned 1200 total points
ID: 24083571


sflow is normally exported on tcp/udp port 6343, what traffic are you allowing via the VPN? Can you provide
the ACL used to match the traffic to be encrypted?

harbor235 ;}
0

Featured Post

Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
In this article, we’ll look at how to deploy ProxySQL.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question