Versions Compared

Version Old Version 6 New Version 7
Changes made by

Jean-luc KRIKER

Jean-luc KRIKER

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

shohis

Netflow under application and identification

p12 certificate

Code Block
jlk-site2#ls security/
pkicerts/
sdwan.p12
ssh/

that’s the problem

show flow exporter

connections :

0 attempts,

0 succeeded

Code Block
jlk-site2#show flow exporter
Flow exporter sdwanFlowExporter:
  exporter-id: 65543
  reporter: 8d9f37062b994250b33dc2c3fa890665
  destination host: netflow.EKI_Customer.Pre_Sales.sdwan.ekinops.com:4740
  transport: tls
  destination address: 57.152.68.169:4740
  not connected to TLS server
  connections : 0 attempts, 0 succeeded, 0 failed, 0 errors send
  source address: 192.0.2.1
  dscp: 0, ttl: 255

  0 report packets sent, 0 bytes, 0 flows exported, 0 flows filtered out
  flow template sent 0 times, timeout 1200 sec
  application-table sent 0 times, timeout 3600 sec
  interface-table sent 0 times, timeout 3600 sec
  system-table sent 0 times, timeout 600 sec

Config

Code Block
jlk-site2#show running-config flow
flow exporter sdwanFlowExporter
 destination netflow.EKI_Customer.Pre_Sales.sdwan.ekinops.com
 option application-table timeout 3600
 option interface-table timeout 3600
 option system-table timeout 600
 record      netflow-tic-extended
 reporter-id 8d9f37062b994250b33dc2c3fa890665
 source loopback 65535
 template data timeout 1200
 transport tls 4740
 pki trustpoint sign TP_sign_device include-ca
 pki trustpoint verify TP_verify_sdwan
 exporter-id 65543
exit

Code Block
jlk-site2#show running-config crypto pki trustpoint
crypto pki trustpoint VPN_OA
 revocation-check none
exit

Solutions

1- Missing config ( crypto pki trustpoint )

2- upgrade to 6.10.6

Code Block
crypto pki trustpoint TP_sign_device 
enrollment-storage file-only 
revocation-check none 
enrollment factory-certificate backup 
enrollment file pkcs12 /security/sdwan.p12 
rsakeypair sign-label  
fingerprint 00000000 00000000 00000000 00000000 00000000
enroll-on-boot
exit 

crypto pki trustpoint TP_verify_sdwan 
enrollment-storage file-only 
revocation-check none 
enrollment factory-certificate backup 
enrollment file pkcs12 /security/sdwan.p12 ca-cert-cn "Root CA 002"
enrollment file pkcs12 /security/sdwan.p12 ca-cert 8 
rsakeypair verify-label 
fingerprint 00000000 00000000 00000000 00000000 00000000
enroll-on-boot
exit

crypto pki enroll TP_sign_device
crypto pki enroll TP_verify_sdwan

>>> fingerprint change from all 0 >>>>>> new fingerprint

...