11-20-2007 06:18 AM
NetFlow data export double counts for ESP protocol on a cryptomap tunnel interface. Is it the same case in VPN tunnel mode?
Can anyone brief about this?
11-27-2007 04:13 AM
Double counting happens when you have netflow enabled on both the tunnel and physical interfaces.
If you configure netflow to observe the traffic twice, then it will!
11-27-2007 07:18 AM
Hi,
Thanks for your comment.
I am talking about a ipsec cryptomap enabled tunnel interface. At the entry and exit of the tunnel when the traffic is decrypted and routed, you will see both the ESP_APP traffic and the actual application ( eg HTTP..) traffic.
Thanks
raj
11-27-2007 07:34 AM
Correct.
You see the ESP_APP traffic because netflow is enabled on the physical interface, and encrypted traffic is passing along the wire.
You see the HTTP traffic because you also have netflow configured inside the crypto tunnel, and HTTP is what's passing there.
You have netflow configured to look at the same traffic twice, so it's double accounted.
In fact, netflow on the physical interface will account slightly more bytes due to the crypto and tunnel encapsulation.
11-27-2007 07:37 AM
Hi,
It is a single interface where the crypto map tunnel starts. I dont see a way out to enable only on a crypto map tunnel or a physical interface.
Thanks
Raj
12-29-2008 04:46 AM
I am having this same issue. I have the ip flow ingress command on the outside interface of the router (the interface that all the VPNs terminate to) and I am seeing double stats. Does anyone know a way to not see double? Would the ip route-cache flow command produce anything different?
12-29-2008 04:55 AM
Some of the NetFlow collectors have the ability to prevent the double counting of flows. Please check it with your NetFlow collector/Analyzer.
Thanks
Raj
12-30-2008 07:23 AM
This was it. I asked the vendor and they said they have an option to exclude ESP traffic from specific interfaces in their advanced configuration. I enabled that feature on the external interface on my VPN routers and now today, I am seeing the correct stats.
12-30-2008 10:03 PM
Can you give me the info about the Analyzer you are using? It will be useful for our community.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: