Re: Embedded Packet Capture on a Virtual Tunnel Interface

benstrauss · ‎09-09-2009

I've noticed something idiosyncratic with respect to the behavior of the IOS Embedded Packet Capture (EPC) feature in IOS 12.4(22T).

I have a DMVPN virtual tunnel interface (IPSEC encrypted). When I apply an outbound-only EPC capture point for cef-switched packets to the tunnel interface and view the capture, I see only what I would expect to (and do) see on the tunnel's parent interface: ESP packets with the source and destination addresses of the DMVPN headends - the packets which comprise the tunnel, i.e. the outside of the tunnel. Inbound I see the traffic within the tunnel, as expected.

If the capture point is set to collect outbound-only process-switched packets instead of cef, I seem to see BOTH the process-switched packets within the tunnel and the encapsulating ESP packets.

Is this behavior documented anywhere?

Is there any way to capture the outbound tunnel contents for cef-switched packets?

Giuseppe Larosa · ‎09-10-2009

Hello Ben,

Cisco declares to be able to capture CEF switched packets

http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_packet_capture_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1062149

However, you have evidence that for DMVPN packets this doesn't happen.

I don't know if adding a capture point can help.

You may open a Cisco SR for this with TAC.

Clearly the feature is new and the code may need to be tuned to cover a scenario like yours.

Hope to help

Giuseppe

benstrauss · ‎09-10-2009

Regardless of whether the traffic is CEF or process-switched, when capturing on a tunnel interface, I would never expect to see the packets that make up the tunnel. I would only expect to see the contents of the tunnel.

I should emphasize that this problem only occurs outbound; inbound packet capture works as expected, and I see the contents of the tunnel (and, quite properly, nothing else) when I capture either CEF or process-switched traffic.