Decaps & Decrypt counter do not match

Unanswered Question
May 12th, 2007
User Badges:


Looking for some info on why the number of decapsulated packeted do not match the number of decrypted packets. we are not seeing this anywhere else on any of our firewalls.

THe difference to this IPSEC config and others are this is the first using AES256,(great!! don't you use it,use 3DES) hmmm !! Thanks...

Really, we do are going to switch to 3DES at the at the next scheduled window.

output from 'sh crypto ipsec sa' for the specific peer.


pkts decaps: 21373, #pkts decrypt: 21400, #pkts verify 21400


Has anyone seen anything like this before? Is it an AES issue?

and why is there a mismatch on the counters?

My opinion is that this is not an AES problem it could be that packets are getting dropped by the IDS.

This particular connection has another symptom, we are seeing a look of connection resets in response to SYS timeouts. Any guidance here?

If this due to packet loss? IDS? packet fragmentation?

Guidance would be appreciated.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
smalkeric Thu, 05/17/2007 - 11:30
User Badges:
  • Silver, 250 points or more

It may be fragmentation issue, Try this: disable the PMTUD (IP Path MTU).


This Discussion