Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10928
Views
0
Helpful
3
Replies

Send Errors in the show crypto IPSEC SA

mastram4u
Level 1
Level 1

‎12-10-2006 08:54 PM - edited ‎02-21-2020 02:45 PM

Hi,

sh crypto ipsec sa peer X.X.X.X ?

What is the meaning of increasing send errors when I am executing the above command. I am seeing the send error count increasing and there is no change in"pkts encaps" & "Pkts decaps". This IPsec Tunnel is working and this is happenning for one new host that I have permitted.

2 people had this problem
Labels:
0 Helpful
3 Replies 3

rajinikanth
Level 3
Level 3

‎12-12-2006 10:26 AM

Hi,

Usually u find send errors increase when the access list config is wrong .

Can u post ur access-list

Thanks

Raj

0 Helpful

ali-mahmoud
Level 1
Level 1
In response to rajinikanth

‎11-24-2014 11:31 PM

Hi; i am facing the same issue, a site-to-site vpn between cisco 3945 router and Fortigate 

config :

crypto isakmp policy 100
 encr 3des
 authentication pre-share
 group 2

!

crypto ipsec transform-set VPN-SET esp-3des esp-sha-hmac 
 mode tunnel

!

crypto map CRYPTO-VPN 155 ipsec-isakmp 
 set peer x.x.x.x
 set security-association lifetime seconds 86400
 set transform-set VPN-SET
 set pfs group2
 match address ACL-VPN

!

crypto isakmp key ????????????? address x.x.x.x

send errors increased just in one of the connections

the  access list as below :

Extended IP access list ACL-VPN
    10 permit ip host 10.255.129.185 host 10.1.1.15 (98 matches)
    20 permit ip host 172.32.31.201 host 10.1.1.15 (25278 matches)
    30 permit ip host 172.32.31.108 host 10.1.1.15 (2 matches)
    60 permit ip host 172.25.25.32 host 10.1.1.15
    70 permit ip host 172.25.25.25 host 10.1.1.15
    80 permit ip 172.32.32.0 0.0.0.255 host 10.1.1.15 (64 matches)

 

when showing the sh crypto ipsec peer 

   local  ident (addr/mask/prot/port): (172.32.32.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.1.1.15/255.255.255.255/0/0)
   current_peer 10.136.136.26 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 4, #recv errors 0

0 Helpful

kinan
Level 1
Level 1
In response to ali-mahmoud

‎10-24-2017 04:26 AM

Are there other suggestions?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents