Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
623
Views
0
Helpful
1
Replies

IPSEC encap_decap_fail

b.s
Level 1
Level 1

‎01-27-2003 07:49 PM - edited ‎02-21-2020 12:18 PM

What causes the the following entry in crypto debug on 2621 IOS 12.2.(13) when making connections through IPSEC tunnel to firewall?

IPSEC(encapsulate): error in encapsulation fs_encap_decap_fail

Most connections through tunnel work fine except for connections to Exchange Server.

thanks

Labels:
0 Helpful
1 Reply 1

cjacinto
Cisco Employee
Cisco Employee

‎01-28-2003 11:53 PM

This is normally caused by sending a big packet with the df bit set. Thus the router could not fragment it and fails to encapsulate such packet. One way you could avoid this is to lower the MTU on the sending host to say 1400 to provide room for the ipsec header or you could clear the df bit for the ipsec tunnels (on the router doing ipsec) as per:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t2/ftdfipsc.htm

an alternative also is to put a policy route map that would clear the df bit on the

packet on the inside interface of the router.

0 Helpful
Customers Also Viewed These Support Documents