high utilization on my IPSec tunnel

Unanswered Question
Jan 11th, 2009

I have a GRE over IPSec tunnel that gets high bandwidth utilization every 2-3 days and stays like that for 2-3 days. I look at the traffic using netflow on the 2811 router and 95% of the packets in and out are either GRE or IPSec. I only have two tunnels on this router (tunnel mode). My question is are GRE and IPSec causing the spike in bandwidth and if so what can I do to fix it?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Richard Burts Sun, 01/11/2009 - 18:13


While NetFlow may report that most of the packets are GRE or IPSec, I doubt that GRE or IPSec are really causing the spike in bandwidth. Other than keepalives (which do not consume much bandwidth) GRE and IPSec do not just send packets spontaneously. They send packets where there is some traffic that needs to be transported. I believe that you will find that something is generating traffic that is using GRE andIPsec. It is what is in the payload of the GRE and IPSec that you need to address.



cirrushelpdesk Sun, 01/11/2009 - 21:19

That's kind of what I thought but how do I find that out? I am using Orion NPM but that doesn't tell me much. Would a sniffer be able to tell me what the actual packets are?

rajivrajan1 Sun, 01/11/2009 - 23:40


IPSEC traffic in encrypted and GRE is encapsulated as we know.

so you may enable the cache flow in inside interface(may be fastethernet- im just gussing as i dont know your network).

Or you must be aware of the intresting traffic defined for IPSEC whihc passes throgh GRE tunnel , where you can ground the source.

A detailed Stdy on ip accounting and Ip cache flow whould probably help you to figureout the same.

Richard Burts Mon, 01/12/2009 - 05:19


You were looking at NetFlow running on the outside interface when you saw that the traffic was GRE and IPSec. I agree with Rajeev that if you run NetFlow on the inside interface(es) you will probably see what traffic is increasing and causing the spike.




This Discussion