I have set up a IPsec VPN tunnel with a partner of ours, on a cisco ASA 5510 v 8.4(5)6, with both phases up and running. Access lists are fully open so all traffic is allowed and I have a continuous ping running, with no reply (although the server is pingable)
When I troubleshoot my VPN, I can see both phase 1 and 2 are up, so parameters are matching but crypto IPsec debug shows me:
pkts encaps: 7, #pkts encrypt: 7, #pkts digest: 7
pkts decaps: 7, #pkts decrypt: 0, #pkts verify: 0
This is a very strange result for me. I am familiar with not receiving packages from the other side, when the number of decaps is 0 too, but here we receive packages, but decryption seems to fail, which is strange because the tunnel is online so encryption must be matching.
how is this possible?
EDIT: further logs are ginving more clues: #pkts invalid identity (rcv): 7
i belive you can see you peer and you mentioned that pahse 1 and phase 2 are established. I had a similar suitation few days ago. i had phase 1 and phase 2 passed. same issue had as you had. later digging into it. I found out i had a issue with my internal network routing. by adding a static route toward my firewall from my internal network fix the issue.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...