Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
242
Views
0
Helpful
1
Replies

Decaps & Decrypt counter do not match

snakedoctor
Level 1
Level 1

‎05-12-2007 06:58 AM - edited ‎03-09-2019 05:59 PM

Hi,

Looking for some info on why the number of decapsulated packeted do not match the number of decrypted packets. we are not seeing this anywhere else on any of our firewalls.

THe difference to this IPSEC config and others are this is the first using AES256,(great!! don't you use it,use 3DES) hmmm !! Thanks...

Really, we do are going to switch to 3DES at the at the next scheduled window.

output from 'sh crypto ipsec sa' for the specific peer.

======

pkts decaps: 21373, #pkts decrypt: 21400, #pkts verify 21400

======

Has anyone seen anything like this before? Is it an AES issue?

and why is there a mismatch on the counters?

My opinion is that this is not an AES problem it could be that packets are getting dropped by the IDS.

This particular connection has another symptom, we are seeing a look of connection resets in response to SYS timeouts. Any guidance here?

If this due to packet loss? IDS? packet fragmentation?

Guidance would be appreciated.

Thanks

SD.

Labels:
0 Helpful
1 Reply 1

smalkeric
Level 6
Level 6

‎05-17-2007 11:30 AM

It may be fragmentation issue, Try this: disable the PMTUD (IP Path MTU).

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents