cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3027
Views
0
Helpful
3
Replies

cisco ASA ipsec packet decap, no decrypt

Pieter Buytaert
Level 1
Level 1

I have set up a IPsec VPN tunnel with a partner of ours, on a cisco ASA 5510  v 8.4(5)6, with both phases up and running. Access lists are fully open so all traffic is allowed and I have a continuous ping running, with no reply (although the server is pingable)

When I troubleshoot my VPN, I can see both phase 1 and 2 are up, so parameters are matching but crypto IPsec debug shows me:

pkts encaps: 7, #pkts encrypt: 7, #pkts digest: 7

pkts decaps: 7, #pkts decrypt: 0, #pkts verify: 0

This is a very strange result for me. I am familiar with not receiving packages from the other side, when the number of decaps is 0 too, but here we receive packages, but decryption seems to fail, which is strange because the tunnel is online so encryption must be matching.

how is this possible?

EDIT: further logs are ginving more clues: #pkts invalid identity (rcv): 7

3 Replies 3

Rohan Padwal
Level 1
Level 1

Hello

please share your config for tunnel and below show command

sh cry ipsec sa peer <remote tunnel ip> detail

it seems the remote end packet is hitting the device but fail to decrypt 

#Rohan

Hi.

what you see giving command on ASA

show crypto ikev1 sa

i belive you can see you peer and you mentioned that pahse 1 and phase 2 are established. I had a similar suitation few days ago. i had phase 1 and phase 2 passed. same issue had as you had. later digging into it. I found out i had a issue with my internal network routing. by adding a static route toward my firewall from my internal network fix the issue.

please do not forget to rate.

Dinesh Moudgil
Cisco Employee
Cisco Employee

Hi Pieter,

I have seen such issues where there is an issue with NAT config or NAT-T.
Can you please confirm the remote side has setup correct routing and NAT .

Also, config pertaining to VPN and complete debugs would really help in this case. 

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: