Ipsec phase 1 and 2 established but no data transmitted

michal2 · ‎05-30-2024

Hello,

I would like to ask for your help to solve my issue with Ipsec tunnel.

According to debugs tunnel is established but no data are transmitted.

In encaps is visible that some packets were sent but in decaps no packets were received back or just some of them.

On edge router is only port forwarding to router behind with PAT enabled.

For some days this configuration was running but then some packets started to drop and eventualy no traffic is transmited.

Once helped me to solve problem when I shuted down whole tunnel interface and up again but not anymore.

Config of both routers is attached. Thank you in advance for any help.,

Ipsec topology

###################################################################################
R1
version 17.6
!
crypto ikev2 proposal WEBUI-PROPOSAL-Tunnel1
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
integrity sha512 sha384 sha256
group 14 15 16 5
!
crypto ikev2 policy WEBUI-POLICY
match fvrf any
proposal WEBUI-PROPOSAL-Tunnel1
!
crypto ikev2 keyring WEBUI-KEYS
peer WEBUI-PEER-x.x.x.x
description KEY-PEER-x.x.x.x
address x.x.x.74 255.255.255.0
pre-shared-key xxxxxx
!
!
!
crypto ikev2 profile WEBUI-IKEV2-PROFILE
match fvrf any
match address local 192.168.5.2
match identity remote address 192.168.216.0 255.255.255.0
match identity remote address 192.168.215.3 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local WEBUI-KEYS
dpd 20 5 periodic
!
crypto ikev2 nat keepalive 900
crypto ikev2 dpd 10 5 periodic
!
!
!
!
class-map match-all RealTimeTraffic3_AVC_UI_CLASS
description RealTimeTraffic3_AVC_UI_CLASS UI_policy_DO_NOT_CHANGE
match protocol attribute category voice-and-video
class-map match-all RealTimeTraffic2_AVC_UI_CLASS
description RealTimeTraffic2_AVC_UI_CLASS UI_policy_DO_NOT_CHANGE
match protocol attribute category voice-and-video
class-map match-all RealTimeTraffic1_AVC_UI_CLASS
description RealTimeTraffic1_AVC_UI_CLASS UI_policy_DO_NOT_CHANGE
match protocol attribute category voice-and-video
!
policy-map RealTimeTraffic
description audio,video,share
class RealTimeTraffic1_AVC_UI_CLASS
set dscp af41
police cir 5000000
conform-action transmit
exceed-action drop
class RealTimeTraffic2_AVC_UI_CLASS
set dscp cs2
police cir 5000000
conform-action transmit
exceed-action drop
class RealTimeTraffic3_AVC_UI_CLASS
set dscp ef
police cir 3000000
conform-action transmit
exceed-action drop
class class-default
set dscp default
!
zone security INSIDE
zone security OUTSIDE
!
crypto logging ikev2
!
!
!
!
!
!
crypto ipsec transform-set WEBUI-TS-Tunnel1 esp-aes 192 esp-sha256-hmac
mode tunnel
!
crypto ipsec profile WEBUI-IPSEC-PROFILE-Tunnel1
set transform-set WEBUI-TS-Tunnel1
set ikev2-profile WEBUI-IKEV2-PROFILE
!
!
!
!
!
!
!
!
!
!
interface Tunnel1
bandwidth 4000
ip address 192.168.40.2 255.255.255.252
tunnel source GigabitEthernet0/0/0
tunnel mode ipsec ipv4
tunnel destination x.x.x.74
tunnel path-mtu-discovery
tunnel protection ipsec profile WEBUI-IPSEC-PROFILE-Tunnel1
!
interface GigabitEthernet0/0/0
description DMZ
ip address 192.168.5.2 255.255.255.0
ip nbar protocol-discovery
ip nat outside
negotiation auto
spanning-tree portfast disable
service-policy input RealTimeTraffic
service-policy output RealTimeTraffic
!
interface GigabitEthernet0/0/1
description LAN Network
ip address 192.168.15.1 255.255.255.0
ip nat inside
negotiation auto
!
interface GigabitEthernet0
description MANAGEMENT interface
vrf forwarding Mgmt-intf
ip address 192.168.10.50 255.255.255.0
negotiation auto
!
ip http server
ip http port 8085
ip http access-class ipv4 WAN-ACCESS-SERVICES
ip http authentication local
ip http secure-server
ip http secure-trustpoint TP-self-signed-2962201196
ip forward-protocol nd
ip tftp source-interface GigabitEthernet0
ip nat inside source list LocalLAN-NAT-VPN interface GigabitEthernet0/0/0 overload
ip nat inside source route-map track-primary-if interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 192.168.5.1
ip route 192.168.18.0 255.255.255.0 192.168.15.250 2
ip route 192.168.216.0 255.255.255.0 Tunnel1
ip ssh version 2
!
!
ip access-list standard WAN-ACCESS-SERVICES
20 permit 192.168.10.0 0.0.0.255
30 permit 192.168.15.0 0.0.0.255
!
ip access-list extended LocalLAN-NAT-VPN
10 deny ip 192.168.15.0 0.0.0.255 192.168.216.0 0.0.0.255 log
20 permit ip 192.168.15.0 0.0.0.255 any log
ip access-list extended WAN-ACCESS-IN
7 permit icmp 192.168.5.0 0.0.0.255 any
8 permit icmp 192.168.15.0 0.0.0.255 any
10 deny icmp any any
20 permit ip any any
!
!
route-map track-primary-if permit 1
match ip address 197
set interface GigabitEthernet0/0/0
!
!
!
control-plane
!
!
line con 0
logging synchronous
login local
stopbits 1
line aux 0
login local
line vty 0 4
access-class WAN-ACCESS-SERVICES in
exec-timeout 120 0
logging synchronous
login local
length 0
transport input ssh
line vty 5 15
access-class WAN-ACCESS-SERVICES in
exec-timeout 120 0
logging synchronous
login local
length 0
transport input ssh
!
end

show crypto ikev2 sa detailed
IPv4 Crypto IKEv2 SA

Tunnel-id Local Remote fvrf/ivrf Status
3 192.168.5.2/4500 x.x.x.74/4500 none/none READY
Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/79058 sec
CE id: 14696, Session-id: 67
Status Description: Negotiation done
Local spi: 5198EE8178D75863 Remote spi: 110D528095AB31B3
Local id: 192.168.5.2
Remote id: 192.168.215.3
Local req msg id: 3978 Remote req msg id: 3968
Local next msg id: 3978 Remote next msg id: 3968
Local req queued: 3978 Remote req queued: 3968
Local window: 5 Remote window: 5
DPD configured for 20 seconds, retry 5
Fragmentation not configured.
Dynamic Route Update: enabled
Extended Authentication not configured.
NAT-T is detected inside
Cisco Trust Security SGT is disabled
Initiator of SA : No

IPv6 Crypto IKEv2 SA

show crypto ipsec sa detail

interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr 192.168.5.2

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer x.x.x.x port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 15413, #pkts encrypt: 15413, #pkts digest: 15413
#pkts decaps: 2504, #pkts decrypt: 2504, #pkts verify: 2504
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 0, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts tagged (send): 0, #pkts untagged (rcv): 0
#pkts not tagged (send): 0, #pkts not untagged (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0

local crypto endpt.: 192.168.5.2, remote crypto endpt.: x.x.x.74
plaintext mtu 1422, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/0
current outbound spi: 0xE4B680B9(3837165753)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0xB1A55732(2980402994)
transform: esp-192-aes esp-sha256-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2841, flow_id: ESG:841, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4607995/2802)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xE4B680B9(3837165753)
transform: esp-192-aes esp-sha256-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2842, flow_id: ESG:842, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4607984/2802)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

show interfaces tunnel 1
Tunnel1 is up, line protocol is up
Hardware is Tunnel
Internet address is 192.168.40.2/30
MTU 9922 bytes, BW 4000 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel linestate evaluation up
Tunnel source 192.168.5.2 (GigabitEthernet0/0/0), destination x.x.x.74
Tunnel Subblocks:
src-track:
Tunnel1 source tracking subblock associated with GigabitEthernet0/0/0
Set of tunnels with source GigabitEthernet0/0/0, 1 member (includes iterators), on interface <OK>
Tunnel protocol/transport IPSEC/IP
Tunnel TTL 255
Path MTU Discovery, ager 10 mins, min MTU 92
Tunnel transport MTU 1422 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile "WEBUI-IPSEC-PROFILE-Tunnel1")
Last input 1w5d, output 18:35:31, output hang never
Last clearing of "show interface" counters 1w2d
Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
572961 packets input, 207391130 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
798744 packets output, 197107604 bytes, 0 underruns
Output 0 broadcasts (0 IP multicasts)
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
###############################################################################################################

R4

version 17.3
!
crypto ikev2 proposal WEBUI-PROPOSAL-Tunnel1
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
integrity sha512 sha384 sha256
group 14 15 16 5
!
crypto ikev2 policy WEBUI-POLICY
match fvrf any
proposal WEBUI-PROPOSAL-Tunnel1
!
crypto ikev2 keyring WEBUI-KEYS
peer WEBUI-PEER-x.x.x.210
description KEY-PEER-x.x.x.210
address x.x.x.210 255.255.255.0
pre-shared-key xxxxxx
!
!
!
crypto ikev2 profile WEBUI-IKEV2-PROFILE
match fvrf any
match address local 192.168.215.3
match identity remote address 192.168.15.0 255.255.255.0
match identity remote address 192.168.5.2 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local WEBUI-KEYS
dpd 20 5 periodic
!
crypto ikev2 nat keepalive 900
crypto ikev2 dpd 10 5 periodic
!
!
crypto ipsec transform-set WEBUI-TS-Tunnel1 esp-aes 192 esp-sha256-hmac
mode tunnel
!
crypto ipsec profile WEBUI-IPSEC-PROFILE-Tunnel1
set transform-set WEBUI-TS-Tunnel1
set ikev2-profile WEBUI-IKEV2-PROFILE
!
!
interface Tunnel1
bandwidth 4000
ip address 192.168.40.1 255.255.255.252
tunnel source GigabitEthernet0/0/0
tunnel mode ipsec ipv4
tunnel destination x.x.x.210
tunnel path-mtu-discovery
tunnel protection ipsec profile WEBUI-IPSEC-PROFILE-Tunnel1
!
interface GigabitEthernet0/0/0
description WAN
ip address 192.168.215.3 255.255.255.0
ip nat outside
negotiation auto
!
interface GigabitEthernet0/0/1
description LAN
ip address 192.168.216.1 255.255.255.0
ip nat inside
negotiation auto
!
interface GigabitEthernet0
description MANAGEMENT interface
vrf forwarding Mgmt-intf
ip address 192.168.10.51 255.255.255.0
negotiation auto
!
ip http server
ip http access-class ipv4 WAN-ACCESS-SERVICES
ip http authentication local
ip http secure-server
ip forward-protocol nd
ip tftp source-interface GigabitEthernet0
ip nat inside source list LocalLAN-NAT-VPN interface GigabitEthernet0/0/0 overload
ip nat inside source route-map track-primary-if interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 192.168.215.1
ip route 192.168.15.0 255.255.255.0 Tunnel1
ip ssh version 2
!
!
ip access-list standard LocalLAN_SSH
10 permit 192.168.25.0 0.0.0.255
ip access-list standard WAN-ACCESS-SERVICES
10 permit 192.168.216.0 0.0.0.255
20 permit 192.168.10.0 0.0.0.255
30 permit 192.168.15.0 0.0.0.255
!
ip access-list extended LocalLAN-NAT-VPN
10 deny ip 192.168.216.0 0.0.0.255 192.168.15.0 0.0.0.255 log
20 permit ip 192.168.216.0 0.0.0.255 any
ip access-list extended VPN-TRAFFIC
10 permit ip 192.168.25.0 0.0.0.255 192.168.24.0 0.0.0.255
!
!
route-map track-primary-if permit 1
match ip address 197
set interface GigabitEthernet0/0/0
!
!
!
!
control-plane
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
line con 0
login local
stopbits 1
line aux 0
login local
stopbits 1
line vty 0 4
access-class WAN-ACCESS-SERVICES in
exec-timeout 120 0
login local
length 0
transport input ssh
line vty 5 15
access-class WAN-ACCESS-SERVICES in
exec-timeout 120 0
login local
length 0
transport input ssh
!
!
end

show crypto ikev2 sa detailed
IPv4 Crypto IKEv2 SA

Tunnel-id Local Remote fvrf/ivrf Status
1 192.168.215.3/4500 x.x.x.210/4500 none/none READY
Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/2696 sec
CE id: 14704, Session-id: 2180
Status Description: Negotiation done
Local spi: 90D0964441D56294 Remote spi: 0568FDBF46E0F0B5
Local id: 192.168.215.3
Remote id: 192.168.5.2
Local req msg id: 136 Remote req msg id: 134
Local next msg id: 136 Remote next msg id: 134
Local req queued: 136 Remote req queued: 134
Local window: 5 Remote window: 5
DPD configured for 20 seconds, retry 5
Fragmentation not configured.
Dynamic Route Update: enabled
Extended Authentication not configured.
NAT-T is detected inside
Cisco Trust Security SGT is disabled
Initiator of SA : Yes

IPv6 Crypto IKEv2 SA

show crypto ipsec sa detail

interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr 192.168.215.3

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer x.x.x.210 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4526, #pkts encrypt: 4526, #pkts digest: 4526
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 0, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts tagged (send): 0, #pkts untagged (rcv): 0
#pkts not tagged (send): 0, #pkts not untagged (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0

local crypto endpt.: 192.168.215.3, remote crypto endpt.: x.x.x.210
plaintext mtu 1422, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/0
current outbound spi: 0x6D34DAE(114511278)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0x97579D60(2539101536)
transform: esp-192-aes esp-sha256-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 7066, flow_id: ESG:5066, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4608000/869)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x6D34DAE(114511278)
transform: esp-192-aes esp-sha256-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 7065, flow_id: ESG:5065, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4607990/869)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

show interfaces tunnel1
Tunnel1 is up, line protocol is up
Hardware is Tunnel
Internet address is 192.168.40.1/30
MTU 9922 bytes, BW 4000 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel linestate evaluation up
Tunnel source 192.168.215.3 (GigabitEthernet0/0/0), destination x.x.x.210
Tunnel Subblocks:
src-track:
Tunnel1 source tracking subblock associated with GigabitEthernet0/0/0
Set of tunnels with source GigabitEthernet0/0/0, 1 member (includes iterators), on interface <OK>
Tunnel protocol/transport IPSEC/IP
Tunnel TTL 255
Path MTU Discovery, ager 10 mins, min MTU 92
Tunnel transport MTU 1422 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile "WEBUI-IPSEC-PROFILE-Tunnel1")
Last input 2d04h, output 01:25:22, output hang never
Last clearing of "show interface" counters 2w0d
Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
17324464 packets input, 9178722647 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
10095527 packets output, 884707879 bytes, 0 underruns
Output 0 broadcasts (0 IP multicasts)
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out

MHM Cisco World · ‎06-04-2024

still this issue not solved ?
if Yes please mention when you config the NAT and which device you use as VPN ends in your topolgy

MHM

michal2 · ‎06-04-2024

Unfortunately issue is not solved yet. But I was thinking it is kind of NAT issue but I do not know what is wrong.

Actually NAT was configured since beginning but issue appeared later.

As a VPN endpoints or R1, R4 ISR4321 router's are used.

I don't know if it helps but after weekend (less network traffic is transferred) tunnel was transmitting data but approximatelly after 3 hours same issue occured again.

MHM Cisco World · ‎06-04-2024

In your topology I see PAT NAT-T and PAT ?

can I know where you apply NAT/PAT ?
where is the end of VPN ?

MHM

michal2 · ‎06-04-2024

Tunnel ends are R1 and R4.

Routers R2 and R3 are just forwarding traffic on port 4500, 500 to R1 or R2 depending on direction.

Actually PAT is applied on all routers, so double PAT is used.

Maybe it is not necessarily to be used but only that configuration works for me for station to get to the internet.

MHM Cisco World · ‎06-07-2024

Just want to update you that I process the issue
and try to find what make VTI drop
thanks for waiting

MHM

michal2 · ‎06-07-2024

Its is fine I really appreciate your effort and time.

I still could not found out what is causing that.

It means that packets are dropped when decapsulating of packets is zero or less than encaps even if on VTI tunnel 1 is

stated: Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0 or it is NAT problem when some records could not be translated back to source of origin?

Thank you

ccieexpert · ‎06-07-2024

Here is what i suggest... after ESP encapsulation the packet will be encapsulated in UDP 4500 generally..

start packet capture on both sides using this:

https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-embedded-packet-capture/116045-productconfig-epc-00.html

Then run a ping with large packet size like 1000 bytes, so you can differentiate packet capture from regular keepalives etc... the packet capture on sending vs receiving side can be compared to see if it is received on the receiving side.. Please attach captures..

michal2 · ‎06-11-2024

Hi, sorry that took me so long but I had other work to do.

I captured some traffic between VPN tunnel peers and outgoing trafic passing tgrough WAN port on R1 and R4.

Unfortunately I did not get icmp reply to icmp request from other site.

Please see attached captured .pcap file.

Hope it helps.

ccieexpert · ‎06-11-2024

i see that hq1 and hq2 packets captures show the ESP large packet 1122 bytes.. packet 249 on r1 and 197 on r2.. i am assuming that is the packet.. not sure the time is same on both routers... its not a simple problem and needs some live troubleshooting.. do you have TAC support for this ? i suggest you talk to them.. otherwise maybe we can jump on a webex/teams etc...

MHM Cisco World · ‎06-11-2024

Hi Friend
after I check your case last days I found the issue
the SPI is different in both Router that lead me to think about the phaseII lifetime and I see you use kilobytes this can be the issue here
one side send traffic more that other this make one side lifetime end and re generate new key but peer still use the old key
and hence the packet is drop
you need to disable kilobytes in both peers and then clear ipsec sa and check again

MHM

michal2 · ‎06-17-2024

Hello,

I would like to thank you a lot, that was propably the reason, now the SPI inbound/outbound are matching even when spi lifetime expires.

Inbound: #pkts dec'ed 17348 drop 3 life (KB/Sec) KB Vol Rekey Disabled/7 hours, 54 mins
Outbound: #pkts enc'ed 40627 drop 0 life (KB/Sec) KB Vol Rekey Disabled/7 hours, 54 mins

But after some time I registered that some packets are dropped, propably due to anti replay error.

#pkts encaps: 40640, #pkts encrypt: 40640, #pkts digest: 40640
#pkts decaps: 17351, #pkts decrypt: 17351, #pkts verify: 17351
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 0, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 3
#pkts tagged (send): 0, #pkts untagged (rcv): 0
#pkts not tagged (send): 0, #pkts not untagged (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0

So I increased ipsec replay window size to 128.

I will see if it will be better and stable.

MHM Cisco World · ‎06-17-2024

Some packet drop when you are ping ?

Or real traffic?

MHM

michal2 · ‎06-17-2024

Real traffic and even when I changed the window size to 128 sometimes no packets are transmited and more what is weird it does not shows up in dropped packets.

So I reverted back to default value.

MHM Cisco World · ‎06-17-2024

show crypto engine connections dropped-packed <<- share this
thanks

MHM