Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1624
Views
0
Helpful
4
Replies

VPN Decaps and Decrypts

Go to solution
Jon Eyes
Level 1
Level 1

‎09-01-2018 11:34 PM - edited ‎02-21-2020 08:10 AM

Hi Everyone,

Any idea what could be causing this?

 

#pkts encaps: 1181, #pkts encrypt: 1181, #pkts digest: 1181
#pkts decaps: 1181, #pkts decrypt: 0, #pkts verify: 0

 

we usually encounter encaps/encrypts are incrementing, but no decaps/encrypt -- usually is nat issue, but this one is different.

 

Advance thanks

 

 

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎09-02-2018 01:30 AM

Look at both the device log output and compare config, This could happen when there's a route problem, NAT problem, or some sort of VPN filter.

 

Check the tunnel configuration on both the devices  and check the is the Tunnel up ?

 

show crypto isakmp sa
show crypto ipsec sa

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

0 Helpful

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎09-03-2018 12:42 AM

Make sure that return traffic is routed over the crypto interface. Also,
run a packet trace while the SA is up to see of the return packet will get
encrypted by responding device or not

View solution in original post

0 Helpful
4 Replies 4

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎09-02-2018 01:30 AM

Look at both the device log output and compare config, This could happen when there's a route problem, NAT problem, or some sort of VPN filter.

 

Check the tunnel configuration on both the devices  and check the is the Tunnel up ?

 

show crypto isakmp sa
show crypto ipsec sa

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Jon Eyes
Level 1
Level 1
In response to balaji.bandi

‎09-03-2018 05:50 PM

Hi,
It worked after we reconfigured and retyped the corresponding tunnel-group.. exactly the same.
We are using pre-shared key, not sure it was the key, but a mismatched key should be visible in the debug, and tunnel should not form from the start. This one the tunnel stood up and was stable, it's just the decrypt is not incrementing
Thanks for the input though
0 Helpful

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎09-03-2018 12:42 AM

Make sure that return traffic is routed over the crypto interface. Also,
run a packet trace while the SA is up to see of the return packet will get
encrypted by responding device or not
0 Helpful

Go to solution
Jon Eyes
Level 1
Level 1
In response to Mohammed al Baqari

‎09-03-2018 05:52 PM

Hi,
It worked after we reconfigured and retyped the corresponding tunnel-group.. exactly the same.
We are using pre-shared key, not sure it was the key, but a mismatched key should be visible in the debug, and tunnel should not form from the start. This one the tunnel stood up and was stable, it's just the decrypt is not incrementing
Thanks for the input though

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card