Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
b.s
New Member

IPSEC encap_decap_fail

What causes the the following entry in crypto debug on 2621 IOS 12.2.(13) when making connections through IPSEC tunnel to firewall?

IPSEC(encapsulate): error in encapsulation fs_encap_decap_fail

Most connections through tunnel work fine except for connections to Exchange Server.

thanks

1 REPLY
Cisco Employee

Re: IPSEC encap_decap_fail

This is normally caused by sending a big packet with the df bit set. Thus the router could not fragment it and fails to encapsulate such packet. One way you could avoid this is to lower the MTU on the sending host to say 1400 to provide room for the ipsec header or you could clear the df bit for the ipsec tunnels (on the router doing ipsec) as per:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t2/ftdfipsc.htm

an alternative also is to put a policy route map that would clear the df bit on the

packet on the inside interface of the router.

208
Views
0
Helpful
1
Replies
CreatePlease to create content