Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
409
Views
0
Helpful
4
Replies

Tunnel Decapsulation issue

nihammimm
Level 1
Level 1

‎05-02-2011 11:49 AM - edited ‎03-11-2019 01:27 PM

FWSM/XXX#sh crypto ipsec SA PEer 152.3.134.153

interface: GigabitEthernet0/0.3211
    Crypto map tag: RT-VPN, local addr 170.10.32.3

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (170.10.130.192/255.255.255.224/0/0)
   remote ident (addr/mask/prot/port): (152.3.133.41/255.255.255.255/0/0)
   current_peer 152.3.134.153 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 19, #pkts encrypt: 19, #pkts digest: 19
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: 170.10.32.3, remote crypto endpt.: 152.3.134.153
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0.3211
     current outbound spi:

what could be the causes for packet decap to become ZERO.

When I checked the sh crypto isakmp sa , the tunnel is active.

Guys  - Have u experienced this kind of issue before. There are few more tunnel in the same FWSM , which all are working fine.

Regards,

Labels:
0 Helpful
4 Replies 4

manish arora
Level 6
Level 6

‎05-02-2011 01:41 PM

Try sending some traffic through this tunnel , like ping the device on the other end of the tunnel. If the tunnel is active and you get echo reply back , then both counters will increase. In your case right now , it appears that your device is sending traffic but nothing is coming back from the other end.

Manish

0 Helpful

nihammimm
Level 1
Level 1
In response to manish arora

‎05-02-2011 08:59 PM

Thanx , I will update u shortly.

Regards,

0 Helpful

nihammimm
Level 1
Level 1
In response to manish arora

‎05-02-2011 09:38 PM

Hi,

I just trying to re establish the session , please tell me how to do it for a specific peer (not for all the peers) ?

for phase 1 ( crypto  isakmp sa) ?

for phase 2 ( crypto  ipsec sa) ?

0 Helpful

andamani
Cisco Employee
Cisco Employee
In response to nihammimm

‎05-03-2011 01:03 AM

Hi,

To establish a tunnel you need to ping between the interesting traffic. Without traffic being passed, the session or tunnel will not come up.

Hope this helps.

Regards,

Anisha

P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card