08-14-2023 04:28 PM
I have configured a tunnel and doing 'show crypto ikev2 sa' and 'show crypto ipsec sa', I can see that there is no issue. by doing pings, 'show access-list' verifying the hits, and doing 'show crypto ipsec sa', I can see the encrypted packets increasing, however I have 0 decaps!
I assume that the other end might not responding, but how can I prove that the traffic actually passing through the tunnel? Is there any command I can use? perhaps packet capture or debug(I have an ISR router)?
08-14-2023 05:54 PM
Hi D@1984
You can prove it by showing the encaps. If you have encaps packets means the traffic is leaving you router/firewall and it is not returning as you have no decaps.
Ask the other side to verify the access-list.
08-16-2023 07:47 AM
Encaps in the 'show crypto ipse sa' and ESP packets in the outbound captures on the WAN interface should be enough evidence. You can also recommend them to check for decals on their device and also for inbound packet captures on the WAN interface of the peer device.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide