Сaptagent does not capture traffic destined for the ipsec tunnel

[Nikolaytk87]

Hi, We brought up an ipsec tunnel to the ISP, and a strange problem occurred. The traffic which goes from the provider to the server where the captagent is installed through the ipsec tunnel is successfully captured, but on the contrary, the traffic which goes from the server to the provider is not seen by the captagent

What can be the problem?

Here is the config captagent.xml, socket_pcap.xml

cat captagent.xml

<?xml version="1.0"?>
<document type="captagent/xml">
        <configuration name="core.conf" description="CORE Settings" serial="2014024212">
            <settings>
                <param name="debug" value="3"/>
                <param name="version" value="2"/>
                <param name="serial" value="2014056501"/>
                <param name="uuid" value="00781a4a-5b69-11e4-9522-bb79a8fcf0f3"/>
                <param name="daemon" value="false"/>
                <param name="syslog" value="false"/>
                <param name="pid_file" value="/var/run/captagent.pid"/>
                <!-- Configure using installation path if different from default -->
                <param name="module_path" value="/usr/local/captagent/lib/captagent/modules"/>
                <param name="config_path" value="/usr/local/captagent/etc/captagent/"/>
                <param name="capture_plans_path" value="/usr/local/captagent/etc/captagent/captureplans"/>
                <param name="backup" value="/usr/local/captagent/etc/captagent/backup"/>
                <param name="chroot" value="/usr/local/captagent/etc/captagent"/>
            </settings>
        </configuration>
        <configuration name="modules.conf" description="Modules">
            <modules>

                <load module="transport_hep" register="local"/>
                <load module="protocol_sip" register="local"/>
                <load module="database_hash" register="local"/>
                <load module="protocol_rtcp" register="local"/>
                <load module="socket_pcap" register="local"/>

                <!-- NOTE: Block required for RTCPXR socket + RTCPXR protocol -->
                <!--
                        <load module="protocol_rtcpxr" register="local"/>
                        <load module="socket_collector" register="local"/>
                -->

                <!--
                <load module="socket_tzsp" register="local"/>
                <load module="protocol_ss7" register="local"/>
                <load module="protocol_diameter" register="local"/>
                <load module="protocol_tls" register="local"/>
                <load module="output_json" register="local"/>
                <load module="protocol_rtcp" register="local"/>
                <load module="interface_http" register="local"/>
                <load module="database_redis" register="local"/>
                <load module="socket_pfring" register="local"/>
                -->
        </modules>
        </configuration>
</document>

cat socket_pcap

<?xml version="1.0"?>
<document type="captagent_module/xml">
    <module name="socket_pcap" description="HEP Socket" serial="2014010402">
        <profile name="socketspcap_sip" description="HEP Socket" enable="true" serial="2014010402">
            <settings>
                <param name="dev" value="any"/>
                <param name="promisc" value="true"/>
                <param name="reasm" value="false"/>
                <param name="websocket-detection" value="false"/>
                <param name="tcpdefrag" value="false"/>
                <param name="capture-plan" value="sip_capture_plan.cfg"/>
                <param name="filter">
                    <value>port 5060</value>
                </param>
            </settings>
        </profile>
        <profile name="socketspcap_tls" description="TLS Socket" enable="false" serial="2014010402">
            <settings>
                <param name="dev" value="any"/>
                <param name="promisc" value="true"/>
                <param name="reasm" value="false"/>
                <param name="tcpdefrag" value="true"/>
                <param name="capture-plan" value="tls_capture_plan.cfg"/>
                <param name="filter">
                    <value>tcp port 5061</value>
                </param>
            </settings>
        </profile>
        <profile name="socketspcap_sctp" description="SCTP Socket" enable="false" serial="2014010402">
            <settings>
                <param name="dev" value="any"/>
                <param name="promisc" value="true"/>
                <param name="reasm" value="true"/>
                <param name="ipv4fragments" value="true"/>
                <param name="ipv6fragments" value="true"/>
                <param name="proto-type" value="sip"/>
                <param name="capture-plan" value="isup_capture_plan.cfg"/>
                <param name="filter">
                    <value>proto 132</value>
                </param>
            </settings>
        </profile>
        <profile name="socketspcap_rtcp" description="RTCP Socket" enable="true" serial="2014010402">
            <settings>
                <param name="dev" value="any"/>
                <param name="promisc" value="true"/>
                <param name="reasm" value="false"/>
                <!-- size in MB -->
                <param name="ring-buffer" value="20"/>
                <!-- for rtp && rtcp < 250 -->
                <param name="snap-len" value="256"/>
                <param name="capture-filter" value="rtcp"/>
                <param name="capture-plan" value="rtcp_capture_plan.cfg"/>
                <param name="filter">
                    <value>portrange 10000-30000 and len >=50 </value>
                </param>
            </settings>
        </profile>
        <profile name="socketspcap_diameter" description="DIAMETER Socket" enable="false" serial="2014010402">
            <settings>
                <param name="dev" value="any"/>
                <param name="promisc" value="true"/>
                <param name="reasm" value="false"/>
                <param name="tcpdefrag" value="true"/>
                <param name="capture-plan" value="diameter_capture_plan.cfg"/>
                <param name="filter">
                    <value>tcp port 3868</value>
                </param>
            </settings>
        </profile>
    </module>
</document>

[lmangani]

@Nikolaytk87 sorry but we cannot guess network configurations used on your system. Make sure you can see the traffic manually (wireshark, tshark, sngrep) before attemtpting to capture it blindly.