Hi,

Thanks for your comment.

I am talking about a ipsec cryptomap enabled tunnel interface. At the entry and exit of the tunnel when the traffic is decrypted and routed, you will see both the ESP_APP traffic and the actual application ( eg HTTP..) traffic.

Thanks

raj

Correct.

You see the ESP_APP traffic because netflow is enabled on the physical interface, and encrypted traffic is passing along the wire.

You see the HTTP traffic because you also have netflow configured inside the crypto tunnel, and HTTP is what's passing there.

You have netflow configured to look at the same traffic twice, so it's double accounted.

In fact, netflow on the physical interface will account slightly more bytes due to the crypto and tunnel encapsulation.

Hi,

It is a single interface where the crypto map tunnel starts. I dont see a way out to enable only on a crypto map tunnel or a physical interface.

Thanks

Raj

I am having this same issue. I have the ip flow ingress command on the outside interface of the router (the interface that all the VPNs terminate to) and I am seeing double stats. Does anyone know a way to not see double? Would the ip route-cache flow command produce anything different?

Some of the NetFlow collectors have the ability to prevent the double counting of flows. Please check it with your NetFlow collector/Analyzer.

Thanks

Raj

This was it. I asked the vendor and they said they have an option to exclude ESP traffic from specific interfaces in their advanced configuration. I enabled that feature on the external interface on my VPN routers and now today, I am seeing the correct stats.

Can you give me the info about the Analyzer you are using? It will be useful for our community.