Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
530
Views
5
Helpful
3
Replies

Query regarding site to site vpn

shoaib sheikh
Level 1
Level 1

‎05-03-2017 08:07 AM

Hello everyone,

When I am checking " show crypto ipsec sa " output, I am getting hits for packets decapsulated but no hits on packets decrypted. Does this suggest that my ASA is receiving the packets but not able to decrypt it ?

#pkts encaps: 1416, #pkts encrypt: 1416, #pkts digest: 1416
#pkts decaps: 706, #pkts decrypt: 0, #pkts verify: 0

Labels:
0 Helpful
3 Replies 3

Murali
Level 1
Level 1

‎05-03-2017 08:17 AM

Yes , did you try clearing the SA's ? also did you check any log messages?

shoaib sheikh
Level 1
Level 1
In response to Murali

‎05-03-2017 11:42 PM

Hi Murali,

I have cleared the tunnel but it is still the same result.

#pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3
#pkts decaps: 2, #pkts decrypt: 0, #pkts verify: 0

still decrypt is showing zero, does it mean the phase 2 is still not up and both firewall are not getting agreed on encryption parameters for phase 2 ?

pls suggest

0 Helpful

Mohammed al Baqari
Level 11
Level 11
In response to shoaib sheikh

‎05-04-2017 03:04 AM

If you paste the entire output of show cry ips sa we can see if phase 2 is up or not. 

ASA process the encrypted packets in phases, 1st decapsulate by taking off outside header, then decrypt the payload and finally check the hashing for integrity. That is simple words but the details process is complex and resource intensive. 

0 Helpful
Customers Also Viewed These Support Documents