I have IPSec tunnels successfully running between 4 Cisco 1841 & 2821 routers, question is: The number of packets encrypted and decrypted on the tunnels is very different, there are about 25% more packets getting encrypted than there are getting decrypted. Is this normal? What is happening to these "missing" packets?
Te number of packects encaps and decaps would depend on the kind of traffic passing. E.g. FTP, where normally, most of the traffic is unidirectional, in the sense that we generally either upload data or download data. So there can be a difference. More important thing would be to look for the number of packets encap and decap on the peer. If the decap is 25% higher than encap then I would say, Don't worry.
As you can see the encaps are higher on one end and decaps are higher on the other. Similarly, the encaps are lower on one end and decaps are lower on the other. This looks normal and also indicates that most of the traffic is unidirectional something like FTP. I would suggest you not to worry especially, as Kanishka mentioned, if you are not experiencing any performace issues. :-)
Thanks for your help, about performance issues, we do seem to be having one, I upgraded this customer from a Point to Point, Frame Relay, 384K frac T1 using 1721's to the current setup which is Full T1 to the internet using IPSec tunnels to connect the sites. The HQ site has a 2821 and the branch sites have 1841s. All have AIM VPN cards. I am told the performance between the 2 sites in question is no better than it was with the old WAN setup even though the bandwidth has increased fourfold. I cannot tell if there is a problem with the setup or with the end user :-) so I am exploring all avenues. I did notice last night that CEF was not enabled on the HQ router's serial I/F so I enabled it, waiting to hear if this helps. Any thoughts?
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...