I have been having issues with getting bi-directional flows over a Cisco EZ-VPN.  I found this forum post that explained the issue as well as noted a Cisco Bug.

https://forums.manageengine.com/topic/netflow-for-remote-routers-over-ipsec-vpn

The Cisco Bug has been resolved.

Symptoms:

IOS does not encrypt NetFlow export packets which originate from the router itself. This is day 0
functionality as features are not applied to NetFlow export packets and never have been.

The solution to this does not fix the above for Cisco's older netflow-switch code but rather
provides the ability to encrypt outgoing NetFlow export packets for the newer flexible-netflow
product.

Conditions:

NetFlow or Flexible NetFlow must be configured to do data export for the issue to be seen.

Workaround:

There is no workaround

Last Modified:
Jan 11,2016

Status:
Fixed

Severity:
6 Enhancement

Product:
Cisco IOS

Support Cases:
176

I continue to have issues with bi-directional flows and I am running a version that is well beyond the list of "fixed in" versions noted under the Cisco Bug.  Has anyone been able to get bi-directional flows through an EZ-VPN tunnel?

We use EZ-VPN for 3 of our locations that need to use Cable Internet service for their ISP.  Our more local remote locations all connect through point to point or other WAN services and those use GRE tunnels and I am able to get flows in both directions on those routers.