Cisco ASA VPN Tunnel Encaps Decaps

If you look below, you can see going over a tunnel that the decaps are at 0 and the encaps are at 21. This means it is encrypting the data and sending it but has not received anything to decrypt in return. The same goes for the opposite.

To view this info you would use the command “sh ipsec sa peer x.x.x.x

*I made up the IP Addresses!

peer address: 12.10.222.31
    Crypto map tag: outside_map, seq num: 20, local addr: 74.222.11.16

      access-list outside_cryptomap_20 extended permit ip host 192.168.23.35 host 12.10.222.26
      local ident (addr/mask/prot/port): (192.168.23.35/255.255.255.255/0/0)
      remote ident (addr/mask/prot/port): (12.10.222.26/255.255.255.255/0/0)
      current_peer: 12.10.222.31

      #pkts encaps: 21, #pkts encrypt: 21, #pkts digest: 21
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 74.222.11.16/0, remote crypto endpt.: 12.10.222.31/0
      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: 0D44F634
      current inbound spi : 06855D94

    inbound esp sas:
      spi: 0x06855D94 (109403540)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 139227136, crypto-map: outside_map
         sa timing: remaining key lifetime (sec): 28770
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x0000000F
    outbound esp sas:
      spi: 0x0D44F634 (222623284)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 139227136, crypto-map: outside_map
         sa timing: remaining key lifetime (sec): 28770
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

At this point the tunnel is up so Phase 1 can be ruled out. I would check for ACL and NAT misconfigurations. Also check to make sure that the other end is routing properly through the tunnel

More Stories
Protected: Cisco IP SLA for BGP and HSRP