Showing results for 
Search instead for 
Did you mean: 
Level 10
Level 10

Core issue

PIX/ASA version 7.0.4 drops packets that need to be encrypted for a valid LAN-to-LAN (L2L) Virtual Private Network (VPN) peer.

This issue is due to the presence of Cisco bug ID CSCsd93380.

In PIX/ASA version 7.0.4, a valid output from the show crypto ipsec sa command is present. QuickMode completes and the active Security Parameter Index (SPI) values are present. Furthermore, the remote site is able to send traffic. The #pkts decrypt counter increases, but the #pkts encrypt counter does not increase.

This is output from the show crypto ipsec sa command:

Firewall(config)#show crypto ipsec sa peer
  peer address:
  Crypto map tag: outside_map, seq num: 2, local addr:
  access-list vpn permit ip
  local ident (addr/mask/prot/port): (
  remote ident (addr/mask/prot/port):
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
  #pkts decaps: 658, #pkts decrypt: 658, #pkts verify: 658
  #pkts compressed: 0, #pkts decompressed: 0
  #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp
  failed: 0
  #send errors: 0, #recv errors: 0

Instead, the show asp drop counter displays Tunnel being brought up or torn down, which increases.


For a temporary workaround:

Reload the PIX/ASA software with the reload command in order to solve this issue.

For a permanent workaround:

This issue is resolved in these PIX/ASA versions:

  • 7.0(6)

  • 7.2(2)

  • 7.2(1.5)

  • 7.0(5.8)

  • 7.1(2.11)

In order to resolve this issue, download the latest code from Cisco Downloads.

Problem Type

Troubleshoot software feature

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: