Thanks for the suggestions but this is for VPN Clients which don't have ACLs. I have many site-to-site connections with ACLs that are working fine. What I'm really looking for is what is causing the recv errors, or in other words, what is happening, or missing, that would cause the recv error to increment.

Usually #recv errors is increasing when we fail one of the tests performed when decapsulating the ESP payload.

It can come from:

• Anti-replay out of window errors
• Digest Errors [ packet corrupted]
• Invalid Decapsulation lenght / SA / protocol
• Any other decapsulation failure

Maybe interesting to show both configs and versions?

ASA end configs:

version--     Cisco ASA Software Version 7.2(2)

ASA configuration

------------------------------------------------------------------------------------------------------------

crypto  isakmp policy 10

authentication  pre-share

encryption  des

hash  md5

group  1

lifetime  86400

crypto  isakmp policy 30

authentication  pre-share

encryption  aes-256

hash  sha

group  2

lifetime  86400

crypto  isakmp policy 40

authentication  pre-share

encryption  3des

hash  sha

group  2

lifetime  86400

access-list VPN_LIV extended permit ip 10.6.100.128 255.255.255.248 host 10.7.1.5

access-list VPN_LIV extended permit ip 10.6.100.128 255.255.255.248 host 10.7.1.7

crypto  ipsec transform-set LIV esp-3des esp-sha-hmac

crypto  map transam 55 match address VPN_LIV

crypto  map transam 55 set peer x.x.x.x

crypto  map transam 55 set transform-set LIV

crypto  map transam 55 set security-association lifetime seconds  3600

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key  *

*********************************************************************************************************************

Cisco Router end configs

(IOS 12.4(24)T5)

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto ipsec transform-set VPN esp-3des esp-sha-hmac

crypto map map 100 ipsec-isakmp

description ****PROD VPN ****

set peer x.x.x.x

set transform-set VPN

match address VPN

reverse-route

Extended IP access list VPN

10 permit ip host 10.7.1.5 10.6.100.128 0.0.0.7 (48509 matches)

30 permit ip host 10.7.1.7 10.6.100.128 0.0.0.7 (9015 matches)

Show crypto ipsec from cisco router:-

local ident (addr/mask/prot/port): (10.7.1.5/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (10.6.100.128/255.255.255.248/0/0)

current_peerx x.x.x.x port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 271545, #pkts encrypt: 271545, #pkts digest: 271545

#pkts decaps: 166753, #pkts decrypt: 166753, #pkts verify: 166753

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 6848

local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x

path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0

current outbound spi: 0x0(0)

PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

protected vrf: (none)

local ident (addr/mask/prot/port): (10.7.1.7/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (10.6.100.128/255.255.255.248/0/0)

current_peer x.x.x.x port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 38406, #pkts encrypt: 38406, #pkts digest: 38406

#pkts decaps: 27997, #pkts decrypt: 27997, #pkts verify: 27997

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 6568

local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x

path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0

current outbound spi: 0x0(0)

PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

Hi Portu,

Yes they have been using NAT-T and tunnel mode. Any thing related to that ?

Regards,

Akhtar