3 Replies Latest reply on Nov 14, 2011 10:11 AM by jswan

    Generating NetFlow from ESP traffic

    Emlyn

      I have a problem with monitoring ESP traffic, but unlike other posts (e.g. “How do I capture ESP VPN traffic? What port numbers do I use?” which was running in August this year), as far as I can see my router is not generating NetFlow packets for the ESP traffic.


       


      The interface is carrying a mix of encrypted and plain traffic and NetFlow is only reporting the plain traffic. My first thought was that as a flow is identified by various parameters including transport source and destination port, but these are hidden in an ESP packet, maybe NetFlow just couldn’t cope with ESP. However, I’ve found many posts reporting problems with the way ESP data is handled by NetFlow analysers, especially “double accounting” problems.


       


      I’ve checked the NetFlow messages with Wireshark, and the problem is definitely ESP not being reported by my router, not Orion NTA filtering out the traffic.


       


      I've configured NetFlow on the router using the minimum set of commands, with defaults wherever they exist.


       


      Do I have to do anything special to the Cisco 6505 router to make it generate NetFlow data for ESP traffic?

        • Re: Generating NetFlow from ESP traffic
          jswan

          Does the router show it with "show ip cache flow"? You can filter for ESP with this command:

          sh ip cache flow | i _32_.+

          If it's in the NetFlow cache but not being exported, I'd open a TAC case.

            • Re: Generating NetFlow from ESP traffic
              Emlyn

              jswan – Thank you.


               


              sh ip cache flow is showing small numbers of packets with expected IP addresses for our non-encrypted flows and is also showing large numbers of packets with source address 0.0.0.0 and destination address 0.0.0.0. I assume this is our encrypted traffic, but I would expect it have addresses of the encryption endpoints, and it is never exported.


               


              Any ideas?

                • Re: Generating NetFlow from ESP traffic
                  jswan

                  I don't know why you're seeing packets with zero source/destination addresses. As you say, you should be seeing the addresses of the crypto endpoints.

                  By chance are you trying to export the flows *through* a tunnel configured with a crypto-map statement on the same router than generated the flow export packets? Last I checked, this wasn't supported in IOS.