Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Decaps & Decrypt counter do not match

Hi,

Looking for some info on why the number of decapsulated packeted do not match the number of decrypted packets. we are not seeing this anywhere else on any of our firewalls.

THe difference to this IPSEC config and others are this is the first using AES256,(great!! don't you use it,use 3DES) hmmm !! Thanks...

Really, we do are going to switch to 3DES at the at the next scheduled window.

output from 'sh crypto ipsec sa' for the specific peer.

======

pkts decaps: 21373, #pkts decrypt: 21400, #pkts verify 21400

======

Has anyone seen anything like this before? Is it an AES issue?

and why is there a mismatch on the counters?

My opinion is that this is not an AES problem it could be that packets are getting dropped by the IDS.

This particular connection has another symptom, we are seeing a look of connection resets in response to SYS timeouts. Any guidance here?

If this due to packet loss? IDS? packet fragmentation?

Guidance would be appreciated.

Thanks

SD.

1 REPLY
Silver

Re: Decaps & Decrypt counter do not match

It may be fragmentation issue, Try this: disable the PMTUD (IP Path MTU).

110
Views
0
Helpful
1
Replies