07-31-2008 06:00 AM
At corporate HQ, I have an ASA5510 behind a router doing PAT with Lan-2-Lan IPSEC VPNs terminating at 3 other sites (2 with PIX 501s not behind routers and one with ASA5510 behind a router also doing PAT). When I do "sh ip nat tra" on the HQ router, at the bottom of the list I see "Incomplete ESP translations:" followed by one or two lines like this:
0 esp_conn=0x8409C428, hanging off nat entry 0x84062D30
1 esp_conn=0x8409C408, hanging off nat entry 0x8405F430
Can anyone tell me what this means, what causes it, and whether it is a problem?
Thank you,
Joshua
07-31-2008 06:31 AM
Have you checked your ACLs with regard to NAPT?
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094ecd.shtml
HTH
07-31-2008 06:39 AM
I'm not sure I quite follow you, although I did use the doc you linked as a reference for my config. Everything appears to work properly, it's just that I get the Incomplete ESP translations message all the time and don't understand what it means or why it is happening.
Thanks,
Joshua
08-01-2008 07:49 AM
08-11-2008 03:53 AM
Hi,
Are you sure that your respective tunnel was up and traffic was flowing through(both ways)?
Any updates on this?
08-11-2008 04:59 AM
The tunnel is up, in production, with traffic flowing both directions. Even so, frequently (but not every time) when I do a show ip nat translations at either end of the tunnel, I see the incomplete ESP translations message. When it says "hanging off nat entry ..." where can I go to look at the entry it is referring to?
Joshua
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide