05-03-2017 08:07 AM
Hello everyone,
When I am checking " show crypto ipsec sa " output, I am getting hits for packets decapsulated but no hits on packets decrypted. Does this suggest that my ASA is receiving the packets but not able to decrypt it ?
#pkts encaps: 1416, #pkts encrypt: 1416, #pkts digest: 1416
#pkts decaps: 706, #pkts decrypt: 0, #pkts verify: 0
05-03-2017 08:17 AM
Yes , did you try clearing the SA's ? also did you check any log messages?
05-03-2017 11:42 PM
Hi Murali,
I have cleared the tunnel but it is still the same result.
#pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3
#pkts decaps: 2, #pkts decrypt: 0, #pkts verify: 0
still decrypt is showing zero, does it mean the phase 2 is still not up and both firewall are not getting agreed on encryption parameters for phase 2 ?
pls suggest
05-04-2017 03:04 AM
If you paste the entire output of show cry ips sa we can see if phase 2 is up or not.
ASA process the encrypted packets in phases, 1st decapsulate by taking off outside header, then decrypt the payload and finally check the hashing for integrity. That is simple words but the details process is complex and resource intensive.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide