VPN is the solution used when traffic has to be sent securely between various offices and IPSEC tunnel is what would be commonly used in an enterprise level network.

Any enterprise which uses such tunnels would also like to monitor the traffic usage and bandwidth utilization in the tunnel. NetFlow technology comes into the picture in this case as IPSEC tunnels, or most tunnels for that matter, supports NetFlow data export. All that has to be done is enable NetFlow data export on the tunnel, send this information to the NetFlow Analyzer and you have your reports in a matter of minutes !

But here comes an issue. The tunnel traffic is encrypted at the entry and decrypted at the exit before being routed. All NetFlow based reporting tools will show the actual traffic (eg. HTTP) before encryption and the same will be again classified as ESP Traffic after encryption. This leads to the double counting of traffic for the edge of the tunnel interfaces and thus wrong bandwidth calculations.

ESP Traffic is shown in traffic reports.

ESP Traffic is shown in traffic reports.

At a time when accurate information is a high priority for cost cutting and better network management, this cannot be afforded. This is why ManageEngine NetFlow Analyzer has the enhanced option to filter out the ESP traffic. With a few simple steps, you can filter the ESP traffic on such tunnel interfaces and enabling this will stop the ESP Traffic from being double counted in bandwidth utilization reports.

To enable the option, navigate to Product Settings under Admin Operations and from here, click on the Advanced Settings tab. Now under Flow Filter Settings, select the interfaces which form the edge of a tunnel. Once the interfaces are selected, the ESP Traffic on them will not be counted for bandwidth reports and you get the advantage of having the correct information about your tunnel bandwidth.

Enable filter for an interface from Advanced Settings tab

Enable filter for an interface from Advanced Settings tab

No more ESP Traffic in reports

No more ESP Traffic in reports

Our team is also working on having a filter for GRE traffic where the same double count occurs when traffic is encrypted using GRE in a tunnel. Hope to hear from you if you had issues with the GRE traffic being double counted and suggestions on how you would love this feature to be.

Don Thomas Jacob
NetFlow Analyzer Team

  1. Hi,

    Only those ESP and GRE traffic that actually causes a double count will be filtered. If the tunnel traffic in your case is just pass through for the selected interface, they will still be shown as it does not cause any double count.

    Regards,
    Don Thomas

  2. Fabio

    I’m having the same problem. I’ve enabled the ESP filter but nothing happened. The interface tha should have the esp traffic filtered is from a Cisco ASA 5540. Could you help me?

  3. I´ve done that (with gre filter) and still can see gre_app in traffic reports

  4. Karthik

    Hi,

    Only those ESP traffic which leads to double counting will be excluded.

    Thanks and Regards,
    Karthik

  5. gsandorx

    hi,
    if i enable the filter, will my ESP traffic be accounted?
    thanks and regards,
    sandor