Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

cisco ASA ipsec packet decap, no decrypt

I have set up a IPsec VPN tunnel with a partner of ours, on a cisco ASA 5510  v 8.4(5)6, with both phases up and running. Access lists are fully open so all traffic is allowed and I have a continuous ping running, with no reply (although the server is pingable)

When I troubleshoot my VPN, I can see both phase 1 and 2 are up, so parameters are matching but crypto IPsec debug shows me:

pkts encaps: 7, #pkts encrypt: 7, #pkts digest: 7

pkts decaps: 7, #pkts decrypt: 0, #pkts verify: 0

This is a very strange result for me. I am familiar with not receiving packages from the other side, when the number of decaps is 0 too, but here we receive packages, but decryption seems to fail, which is strange because the tunnel is online so encryption must be matching.

how is this possible?

EDIT: further logs are ginving more clues: #pkts invalid identity (rcv): 7

Everyone's tags (1)
3 REPLIES
New Member

Hello

Hello

please share your config for tunnel and below show command

sh cry ipsec sa peer <remote tunnel ip> detail

it seems the remote end packet is hitting the device but fail to decrypt 

#Rohan

New Member

Hi.

Hi.

what you see giving command on ASA

show crypto ikev1 sa

i belive you can see you peer and you mentioned that pahse 1 and phase 2 are established. I had a similar suitation few days ago. i had phase 1 and phase 2 passed. same issue had as you had. later digging into it. I found out i had a issue with my internal network routing. by adding a static route toward my firewall from my internal network fix the issue.

Hi Pieter,

Hi Pieter,

I have seen such issues where there is an issue with NAT config or NAT-T.
Can you please confirm the remote side has setup correct routing and NAT .

Also, config pertaining to VPN and complete debugs would really help in this case. 

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

839
Views
0
Helpful
3
Replies