I have a problem with monitoring ESP traffic, but unlike other posts (e.g. “How do I capture ESP VPN traffic? What port numbers do I use?” which was running in August this year), as far as I can see my router is not generating NetFlow packets for the ESP traffic.
The interface is carrying a mix of encrypted and plain traffic and NetFlow is only reporting the plain traffic. My first thought was that as a flow is identified by various parameters including transport source and destination port, but these are hidden in an ESP packet, maybe NetFlow just couldn’t cope with ESP. However, I’ve found many posts reporting problems with the way ESP data is handled by NetFlow analysers, especially “double accounting” problems.
I’ve checked the NetFlow messages with Wireshark, and the problem is definitely ESP not being reported by my router, not Orion NTA filtering out the traffic.
I've configured NetFlow on the router using the minimum set of commands, with defaults wherever they exist.
Do I have to do anything special to the Cisco 6505 router to make it generate NetFlow data for ESP traffic?
