encapsulation failed problem

Unanswered Question
Dec 18th, 2007


Would someone help me understand what is the cause of an "encapsulation failed" message in the "debug ip packet" command on a cisco router?

This messages appeared after SUCCESSFUL completion of phase 1 and phase 2, when the router tried to send DPD messages to the other site-to-site VPN peer.

The router successfully received all DPD messages from the other VPN peer, but could not neither send DPD replies, neither send its own DPD messages.

Thanks in advance,


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (4 ratings)
Richard Burts Tue, 12/18/2007 - 08:52


In general the encapsulation failed error message indicates that the router has a layer 3 packet to forward and is lacking some element of the layer 2 header that it needs to be able to forward the packet toward the next hop.

In situations where the next hop is over Ethernet it usually indicates that the ARP request did not get an adequate response and that it does not have the destination MAC address. In Frame Relay it usually indicates that there is not a map entry that gives the correct DLCI for the outbound packet. Other encapsulations have similar header components which must be known or an encapsulation failure will result.

What type of interface is the DPD message being forwarded over?



cisco24x7 Tue, 12/18/2007 - 20:04


Your explaination is really confusing that

I can not understand it myself.

Malden, it does not matter whether you're

doing IPSec over Frame, Ethernet or whatever,

if you want to see DPD sending out from

your router or the other router to send DPD

to you, it is very simple:

-Pix: isakmp keepalive 10

-Cisco IOS: crypto isakmp keepalive 10

That's it.

mladentsvetkov Thu, 12/20/2007 - 00:31

Thanks for the responses, guys!

It is all Ethernet as L2.

The DPD messages were configured. The problem is that the router cannot send data via the encrypted tunnel. When i do "debug ip packet" on the router I see the "encapsulation failed" message for the packets going out of the router.



Richard Burts Fri, 12/21/2007 - 06:18


If it is Ethernet, then the encapsulation failed is almost certainly an issue with the MAC address of the next hop. To troubleshoot this I would suggest that you take the encapsulation failed error message, verify the destination address of the packet that failed, check the routing table for how you get to that destination address and what is the next hop, and then check the ARP table for that address. Somewhere in the process I suspect that there is a mismatch.



mladentsvetkov Fri, 12/21/2007 - 06:45

Thanks, Rick.

Other thing to mention is that the cisco router is directly connected to a l2 switch (2950). The switch port is configured as access port in vlan XXX, but the native VLAN is changed, it is not VLAN 1.

Do you think that this may be the problem?



Richard Burts Fri, 12/21/2007 - 10:43


Since I do not have a good feeling right now for what the problem is, it is difficult to say for sure that it is not a problem with the router to switch connection or the configuration of the access port or VLAN on the 2950. But I would doubt that this is causing the problem.




This Discussion