Incomplete ESP Translations: hanging off nat entry

Unanswered Question
Jul 31st, 2008

At corporate HQ, I have an ASA5510 behind a router doing PAT with Lan-2-Lan IPSEC VPNs terminating at 3 other sites (2 with PIX 501s not behind routers and one with ASA5510 behind a router also doing PAT). When I do "sh ip nat tra" on the HQ router, at the bottom of the list I see "Incomplete ESP translations:" followed by one or two lines like this:

0 esp_conn=0x8409C428, hanging off nat entry 0x84062D30

1 esp_conn=0x8409C408, hanging off nat entry 0x8405F430

Can anyone tell me what this means, what causes it, and whether it is a problem?

Thank you,


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jmcconnaughey Thu, 07/31/2008 - 06:39

I'm not sure I quite follow you, although I did use the doc you linked as a reference for my config. Everything appears to work properly, it's just that I get the Incomplete ESP translations message all the time and don't understand what it means or why it is happening.



rsgamage1 Fri, 08/01/2008 - 07:49

I've come across a similar case when there was an issue with my interface ACLs. This is for what I suggested you to check the ACLs.

I ended up having an

rsgamage1 Mon, 08/11/2008 - 03:53


Are you sure that your respective tunnel was up and traffic was flowing through(both ways)?

Any updates on this?

jmcconnaughey Mon, 08/11/2008 - 04:59

The tunnel is up, in production, with traffic flowing both directions. Even so, frequently (but not every time) when I do a show ip nat translations at either end of the tunnel, I see the incomplete ESP translations message. When it says "hanging off nat entry ..." where can I go to look at the entry it is referring to?



This Discussion