Incomplete ESP Translations: hanging off nat entry

jmcconnaughey · ‎07-31-2008

At corporate HQ, I have an ASA5510 behind a router doing PAT with Lan-2-Lan IPSEC VPNs terminating at 3 other sites (2 with PIX 501s not behind routers and one with ASA5510 behind a router also doing PAT). When I do "sh ip nat tra" on the HQ router, at the bottom of the list I see "Incomplete ESP translations:" followed by one or two lines like this:

0 esp_conn=0x8409C428, hanging off nat entry 0x84062D30

1 esp_conn=0x8409C408, hanging off nat entry 0x8405F430

Can anyone tell me what this means, what causes it, and whether it is a problem?

Thank you,

Joshua

rsgamage1 · ‎07-31-2008

Have you checked your ACLs with regard to NAPT?

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094ecd.shtml

HTH

jmcconnaughey · ‎07-31-2008

I'm not sure I quite follow you, although I did use the doc you linked as a reference for my config. Everything appears to work properly, it's just that I get the Incomplete ESP translations message all the time and don't understand what it means or why it is happening.

Thanks,

Joshua

rsgamage1 · ‎08-01-2008

I've come across a similar case when there was an issue with my interface ACLs. This is for what I suggested you to check the ACLs.

I ended up having an

rsgamage1 · ‎08-11-2008

Hi,

Are you sure that your respective tunnel was up and traffic was flowing through(both ways)?

Any updates on this?

jmcconnaughey · ‎08-11-2008

The tunnel is up, in production, with traffic flowing both directions. Even so, frequently (but not every time) when I do a show ip nat translations at either end of the tunnel, I see the incomplete ESP translations message. When it says "hanging off nat entry ..." where can I go to look at the entry it is referring to?

Joshua