cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5124
Views
15
Helpful
2
Replies

The meaning of packets not compressed in show crypto ipsec sa?

XIE YAO
Level 1
Level 1

Hi Team,

As titles, just curious, what's the signficance of "pkts not compressed" on "show crypto ipsec sa" , this counters seems to be same as pkts encaps in some cases.

      #pkts encaps: 11111, #pkts encrypt: 11111, #pkts digest: 11111
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 11111, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

Regards

2 Replies 2

Dinesh Moudgil
Cisco Employee
Cisco Employee

Hi ,

This field is significant when we use data compression for VPNs under transform set.
LZS compression is only supported on Anyconnect, SSL and IPSEC remote access VPNs and not on lan to lan tunnels. It is not supported for IKEv2 connections.

Compression was designed for high latency low bandwidth connections (in both SSL and IPsec), it requires additional processing in software of client side and should be carefully considered when applying.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

jroy777
Level 1
Level 1

Be sure that esp has been allowed to your VPN device on your outside acl inbound

 

permit esp host <s2s-VPN-Peer-IP> any

We found a router sitting in front of our ASA with ACL's for security was preventing esp packets into our ASA.