topic IPsec S2S VPN Encap/Decap in Network Security

IPsec S2S VPN Encap/Decap

johnlloyd_13 — Tue, 12 Mar 2019 05:18:59 GMT

hi,

i created a S2S VPN and the ASA2's internet connection isn't that good and some packet losses would be 'normal'.

i'm not sure if that relates to the unequal encap/decaps on my 'sh crypto ipsec sa' output.

is the below reading normal?

ASA1:

      #pkts encaps: 129766, #pkts encrypt: 130193, #pkts digest: 130193
      #pkts decaps: 90306, #pkts decrypt: 90306, #pkts verify: 90306
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 129766, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 427, #pre-frag failures: 0, #fragments created: 854
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 29
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

ASA2:

#pkts encaps: 533, #pkts encrypt: 533, #pkts digest: 533
      #pkts decaps: 600, #pkts decrypt: 600, #pkts verify: 600
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 533, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 36
      #send errors: 0, #recv errors: 0

Hi, I don't think there is

Jouni Forss — Thu, 08 Jan 2015 13:21:02 GMT

Hi,

I don't think there is anything unusual about the packet count being different for decaps/encaps

I would imagine that typically the data transfer is uneven so I don't expect ever to see these counters match. Only time is usually when just configuring a new connection and testing it with ICMP which would result in identical count in encap/decap counters (if the ICMP went through) as we would see echo/echo-reply packets.

If you would see zero counter on one of the SA pairs then it would indicate a problem

I don't see anything special/strange in the above.

- Jouni

thanks jouni!are you going to

johnlloyd_13 — Thu, 08 Jan 2015 17:08:24 GMT

thanks jouni! maybe i got used to seeing equal encap/decap count during initial config and ping test.

are you going to update your NAT docu soon? 🙂

it seems there's a slight update on newer image releases.