SummaryWhen looking at the real time monitor, in some instances, ESP traffic can be seen as ICMP traffic due to an erroneous classification.
OverviewWhen looking at traffic in the 'Real Time Monitor' page, traffic has been classified and is shown as that classification on that page. There have been some instances where misclassification has occurred. In some cases, Encapsulating Security Payload (ESP) traffic, a part of the IPSec protocol, is being classified as ICMP (ping) traffic. This means that any prioritization / optimization given to ESP traffic will not be done, given that it is being classified as another type of traffic.
CauseThough the ESP classification is one that has been in Exinda for a long time, a certain scenario led to the misclassification of the traffic. Namely that if ESP traffic was established and then ICMP traffic (pings, traceroute, etc) was sent through the ESP tunnel, all the ESP traffic from that point onwards would be classified as ICMP.
This is due to the fact that the ESP protocol in the Exinda by default is not set to use the 'esp' definition, and even though it shows up as being ESP in the real time monitor, behind the scenes it was unclassified. When ICMP traffic came through, it was classified, and due to this bug, didn't get unclassified once the ICMP traffic was done.
WorkaroundIn v7.0.3u1 and earlier, manually create an application to classify ESP traffic. This can be done through the following:
1. Navigate to the Application page (Configuration > Objects > Applications)
2. Add a new application
a) Give it the name "ESP"
b) Leave network object blank
c) Leave DSCP blank
d) Leave L7 Signatures blank
e) Under 'Ports/Protocols', ensure 'Protocols' is selected from the first drop down. Under the second drop down, choose 'esp'.
f) Click 'Add New Application'
See the below image for a guide.