ASA - pkts encaps/decaps but not encrypt/decrypt

Hi,

from time to time I have a problem with one peer and I see that packets are encaps/decaps but they are not encrypt/decrypt:

#pkts encaps: 6687, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 7498, #pkts decrypt: 0, #pkts verify: 0


after a while (sometimes a reboot of the peer) everything is OK:

#pkts encaps: 168362, #pkts encrypt: 168362, #pkts digest: 168362
#pkts decaps: 194884, #pkts decrypt: 194884, #pkts verify: 194884


I don't change any configuration, probably the peer is Checkpoint and I don't know if they change anything in the config. I'm trying to guess what can be a reason of such symptoms, any idea?

Comments

  • Hi,

       Is this just a cosmetic/show bug (which happens a lot), or also traffic is not actually being encrypted/decrypted? When this happens, are Phase1 and Phase2 still up, assuming you use IKEv1? If packets are not encrypted, try to ensure that Phase1 and Phase2 timers match between the two VPN gateways.

    Regards,

    Cristian.

  • Hi,

    it isn't only cosmetic bug, theoretically traffic is passing then but users experience is "I can't connect", so it doesn't work. Next time I will try to check timers. My version is 9.1(5).21 (I can't find any bug), other peers I'm not sure but two different peers had the same problem in last few weeks

    thanks

    Hubert

  • One other thing to check is to make sure that the ACLs used to define your traffic match exactly. I've seen odd behavior like this when they don't match, but the tunnel still comes up initially.
  • Additionally, do you have DPD deployed? This is another 'known' issue which can cause what you are experiencing? So both phases remain up and running but no traffic passes?

    Sent from my iPhone

    On Jan 21, 2016, at 11:00, HubertW <[email protected]> wrote:

    Hi,

    it isn't only cosmetic bug, theoretically traffic is passing then but users experience is "I can't connect", so it doesn't work. Next time I will try to check timers. My version is 9.1(5).21 (I can't find any bug), other peers I'm not sure but two different peers had the same problem in last few weeks

    thanks

    Hubert




    INE - The Industry Leader in CCIE Preparation

    http://www.INE.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx
  • recently we upgraded software to 9.1(6)11 due to last IKE vulnerability and since then it didnt' happen again, let's see

  • DPD has also helped solve this problem for me in the past.

    Basically both peers aren't agreeing on SPIs to encrypt/decrypt due to stale information.

  • Correct, but technically speaking yhe router should be smart enough and start the renegotiation when that happens; however due to bad coding or bugs it's not always the case; thus better off to run DPD so if the peer is gone the stale SA is also deleted.

    DPD has also helped solve this problem for me in the past.

    Basically both peers aren't agreeing on SPIs to encrypt/decrypt due to stale information.

     

Sign In or Register to comment.