Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Double counting of NetFlow traffic on a cryptomap tunnel

NetFlow data export double counts for ESP protocol on a cryptomap tunnel interface. Is it the same case in VPN tunnel mode?

Can anyone brief about this?

8 REPLIES
New Member

Re: Double counting of NetFlow traffic on a cryptomap tunnel

Double counting happens when you have netflow enabled on both the tunnel and physical interfaces.

If you configure netflow to observe the traffic twice, then it will!

New Member

Re: Double counting of NetFlow traffic on a cryptomap tunnel

Hi,

Thanks for your comment.

I am talking about a ipsec cryptomap enabled tunnel interface. At the entry and exit of the tunnel when the traffic is decrypted and routed, you will see both the ESP_APP traffic and the actual application ( eg HTTP..) traffic.

Thanks

raj

New Member

Re: Double counting of NetFlow traffic on a cryptomap tunnel

Correct.

You see the ESP_APP traffic because netflow is enabled on the physical interface, and encrypted traffic is passing along the wire.

You see the HTTP traffic because you also have netflow configured inside the crypto tunnel, and HTTP is what's passing there.

You have netflow configured to look at the same traffic twice, so it's double accounted.

In fact, netflow on the physical interface will account slightly more bytes due to the crypto and tunnel encapsulation.

New Member

Re: Double counting of NetFlow traffic on a cryptomap tunnel

Hi,

It is a single interface where the crypto map tunnel starts. I dont see a way out to enable only on a crypto map tunnel or a physical interface.

Thanks

Raj

New Member

Re: Double counting of NetFlow traffic on a cryptomap tunnel

I am having this same issue. I have the ip flow ingress command on the outside interface of the router (the interface that all the VPNs terminate to) and I am seeing double stats. Does anyone know a way to not see double? Would the ip route-cache flow command produce anything different?

New Member

Re: Double counting of NetFlow traffic on a cryptomap tunnel

Some of the NetFlow collectors have the ability to prevent the double counting of flows. Please check it with your NetFlow collector/Analyzer.

Thanks

Raj

New Member

Re: Double counting of NetFlow traffic on a cryptomap tunnel

This was it. I asked the vendor and they said they have an option to exclude ESP traffic from specific interfaces in their advanced configuration. I enabled that feature on the external interface on my VPN routers and now today, I am seeing the correct stats.

New Member

Re: Double counting of NetFlow traffic on a cryptomap tunnel

Can you give me the info about the Analyzer you are using? It will be useful for our community.

906
Views
5
Helpful
8
Replies