Symptom
the egress cflowd showing the egress interface CPU instead on ipsec:
TCP TIME EGRESS
SRC DEST IP CNTRL ICMP TOTAL TOTAL MIN MAX TO INTF INGRESS APP
VPN SRC IP DEST IP PORT PORT DSCP PROTO BITS OPCODE NHOP IP PKTS BYTES LEN LEN START TIME EXPIRE NAME INTF NAME ID
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
21 192.168.21.10 8.8.8.8 39779 53 0 17 0 0 172.16.21.2 1 74 74 74 Thu Oct 14 00:33:39 2021 55 cpu ge0/2.101 72
The nexthop is 172.16.21.2, which is ipsec tunnel destination.
interface ipsec1
ip address 172.16.121.2/30
tunnel-source-interface ge0/1.101
tunnel-destination 172.16.21.2
vm8# show ip routes vpn 21
PROTOCOL NEXTHOP NEXTHOP NEXTHOP
VPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS
---------------------------------------------------------------------------------------------------------------------------------------------
21 0.0.0.0/0 static - ipsec1 172.16.121.1 - - - - F,S
