Why am I seeing *.ip.50 as a protocol instead of the ports in Protocol reports?

Document ID : KB000092977
Last Modified Date : 22/05/2018
Show Technical Document Details
Question:
Why are Protocol reports are showing as esp (*.ip.50) instead of the actual ports that the interface is using?
Environment:
NFA All Versions
Answer:
Protocol ID 50 is "Encapsulation Security Payload (ESP) IPSec" which is encrypted traffic will not show the SrcPort or DstPort in the Netflow data because it is encrypted.
NFA needs to know the source port and destination port in order to determine which port traffic is seen on. When there is no srcport or dstport in the flow data, NFA uses the protocol field in Netflow to display the protocol information. The list of some common protocol ID's can be found in the link below: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959827(v=technet.10)

You can verify this in wireshark by capturing the Netflow data from a device on the Harvester by following the steps in this KB  How can I determine if a NetFlow enabled device is sending the correct fields and data using WireShark?

Then Look for flows with "Protocol: Encap Security Payload (50)" like in the screenshot below and you will notice that the SrcPort and DstPort are both 0:
User-added image
This is a Netflow limitation on the device, you can check with your vendor to see if there is a configuration that will allow for IPSEC traffic to show the actual ports in the netlfow data it exports.