Double counting of NetFlow traffic on a cryptomap tunnel

Unanswered Question
Nov 20th, 2007

NetFlow data export double counts for ESP protocol on a cryptomap tunnel interface. Is it the same case in VPN tunnel mode?

Can anyone brief about this?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
paitken Tue, 11/27/2007 - 04:13

Double counting happens when you have netflow enabled on both the tunnel and physical interfaces.

If you configure netflow to observe the traffic twice, then it will! Tue, 11/27/2007 - 07:18


Thanks for your comment.

I am talking about a ipsec cryptomap enabled tunnel interface. At the entry and exit of the tunnel when the traffic is decrypted and routed, you will see both the ESP_APP traffic and the actual application ( eg HTTP..) traffic.



paitken Tue, 11/27/2007 - 07:34


You see the ESP_APP traffic because netflow is enabled on the physical interface, and encrypted traffic is passing along the wire.

You see the HTTP traffic because you also have netflow configured inside the crypto tunnel, and HTTP is what's passing there.

You have netflow configured to look at the same traffic twice, so it's double accounted.

In fact, netflow on the physical interface will account slightly more bytes due to the crypto and tunnel encapsulation. Tue, 11/27/2007 - 07:37


It is a single interface where the crypto map tunnel starts. I dont see a way out to enable only on a crypto map tunnel or a physical interface.



patwill66_2 Mon, 12/29/2008 - 04:46

I am having this same issue. I have the ip flow ingress command on the outside interface of the router (the interface that all the VPNs terminate to) and I am seeing double stats. Does anyone know a way to not see double? Would the ip route-cache flow command produce anything different? Mon, 12/29/2008 - 04:55

Some of the NetFlow collectors have the ability to prevent the double counting of flows. Please check it with your NetFlow collector/Analyzer.



patwill66_2 Tue, 12/30/2008 - 07:23

This was it. I asked the vendor and they said they have an option to exclude ESP traffic from specific interfaces in their advanced configuration. I enabled that feature on the external interface on my VPN routers and now today, I am seeing the correct stats. Tue, 12/30/2008 - 22:03

Can you give me the info about the Analyzer you are using? It will be useful for our community.


This Discussion