IPSec Stats Question

Unanswered Question
Mar 5th, 2007

I have IPSec tunnels successfully running between 4 Cisco 1841 & 2821 routers, question is: The number of packets encrypted and decrypted on the tunnels is very different, there are about 25% more packets getting encrypted than there are getting decrypted. Is this normal? What is happening to these "missing" packets?

Thanks in advance! Mitchell

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Kamal Malhotra Mon, 03/05/2007 - 23:26

Hi Mitchell,

Te number of packects encaps and decaps would depend on the kind of traffic passing. E.g. FTP, where normally, most of the traffic is unidirectional, in the sense that we generally either upload data or download data. So there can be a difference. More important thing would be to look for the number of packets encap and decap on the peer. If the decap is 25% higher than encap then I would say, Don't worry.


Please rate if it helps,



mitchell.smith Tue, 03/06/2007 - 06:21

Hi Kamal,

Thanks for your help, here is my traffic specs as of this morning, between 2 peers, using show crypto ipsec sa:

Router A:

encap: 20933252 encrypt: 20933252 digest: 20933252 decap: 35011197 decrypt: 35011197 verify 3501197

Router B:

encap: 30413886 encrypt: 30413886 digest: 30413886 decap: 17706642 decrypt: 17706642 verify 17706642

Does this look normal? I am a bit new at IPSec tunnels and do not know what normal looks like.

Thanks for the assistance!


kaachary Tue, 03/06/2007 - 06:27

Hi Mitchell,

If you are not observing any kind of performance issues or delays across the tunnel, then I guess the settings(encaps/decaps) are pretty much ok.

We would be concerned with the packet loss if we see any kind of issues with the tunnel.


Kamal Malhotra Tue, 03/06/2007 - 07:49

Hi Mitchell,

As you can see the encaps are higher on one end and decaps are higher on the other. Similarly, the encaps are lower on one end and decaps are lower on the other. This looks normal and also indicates that most of the traffic is unidirectional something like FTP. I would suggest you not to worry especially, as Kanishka mentioned, if you are not experiencing any performace issues. :-)


Please rate if it helps.



mitchell.smith Tue, 03/06/2007 - 08:30

Hi Kamal,

Thanks for your help, about performance issues, we do seem to be having one, I upgraded this customer from a Point to Point, Frame Relay, 384K frac T1 using 1721's to the current setup which is Full T1 to the internet using IPSec tunnels to connect the sites. The HQ site has a 2821 and the branch sites have 1841s. All have AIM VPN cards. I am told the performance between the 2 sites in question is no better than it was with the old WAN setup even though the bandwidth has increased fourfold. I cannot tell if there is a problem with the setup or with the end user :-) so I am exploring all avenues. I did notice last night that CEF was not enabled on the HQ router's serial I/F so I enabled it, waiting to hear if this helps. Any thoughts?

Your help is appreciated!



This Discussion