cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
13082
Views
14
Helpful
10
Replies

#pkts encaps: 0 | pkts decaps: 664

Ibrahim Jamil
Level 6
Level 6

Hi

why the below like that?where the problem is? its L2L Scenario using 2 cisco asa

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 664, #pkts decrypt: 664, #pkts verify: 664

Thanks

10 Replies 10

Jennifer Halim
Cisco Employee
Cisco Employee

That means packet is arriving and getting decrypted on this ASA, however, there is no return traffic to be encrypted towards the peer.

A few things to check:

- default gateway of the host or any device between the host and the ASA is pointing towards the ASA interface.

- make sure the host that you are trying to access doesn't have any FW on that might block inbound connection.

- NAT exemption is configured on the ASA between those subnets.

Hi Halim

how can i see logs on my asa for what you have written?

thanks

What do you mean?

Which part would you like to see?

To check if NAT exemption has been configured, you can check the NAT statement.

Hi Halim

i checked all config it looks okay . the tunnel is up but still  see the below , with increased counter, what type of debug y want to make things clear

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 664, #pkts decrypt: 664, #pkts verify: 664

thanks

Jamil

If the tunnel is up and you are seeing decaps and no encaps that means exactly what Jennifer mentioned.  There is no return traffic from this site.  If you go and look on the other side you will see encaps but no decaps.  So you need to check the interesting traffic and make sure that whatever the other side is trying to get to at this location is live.

You can check the logs in the log viewer.

how can i see the log for what you have mentioned?

i have the below logging enable in my asa

logging buffered severity 7

debug crypto ipsec sa 127

thanks

It is not something that you can check on the logs.

You would need to do a little bit of troubleshooting.

At this stage, it is not a VPN problem, so "debug cry" won't give you much to go on,

Have you double checked the NAT exemption to see if it has been created correctly?

If NAT exemption is correct, I assume that you don't have any ACL that might be blocking it on the ASA?

Lastly, if all the ASA configuration is assumed to be correct, you would need to check on the host itself that you are trying to reach to see if it has any FW that might be blocking inbound access, or if the default gateway is configured correctly. And you can also check if there is any router between the ASA and the host and ensure it's routing correctly.

hengchang zhao
Level 1
Level 1

Have you solved the problem

The original post is 5 years old. Literally dozens of similar posts have been put up over the years.

The most common causes are:

a. incorrect routing at the distnat end internal network

b. mismatch between crypto maps ("show crypto ipsec sa" should be a mirror image between the two units).

TKS,This problem has been solved, which is the matching sequence of no-na

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: