ASA - pkts encaps/decaps but not encrypt/decrypt
Hi,
from time to time I have a problem with one peer and I see that packets are encaps/decaps but they are not encrypt/decrypt:
#pkts encaps: 6687, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 7498, #pkts decrypt: 0, #pkts verify: 0
after a while (sometimes a reboot of the peer) everything is OK:
#pkts encaps: 168362, #pkts encrypt: 168362, #pkts digest: 168362
#pkts decaps: 194884, #pkts decrypt: 194884, #pkts verify: 194884
I don't change any configuration, probably the peer is Checkpoint and I don't know if they change anything in the config. I'm trying to guess what can be a reason of such symptoms, any idea?
Comments
Hi,
Is this just a cosmetic/show bug (which happens a lot), or also traffic is not actually being encrypted/decrypted? When this happens, are Phase1 and Phase2 still up, assuming you use IKEv1? If packets are not encrypted, try to ensure that Phase1 and Phase2 timers match between the two VPN gateways.
Regards,
Cristian.
Hi,
it isn't only cosmetic bug, theoretically traffic is passing then but users experience is "I can't connect", so it doesn't work. Next time I will try to check timers. My version is 9.1(5).21 (I can't find any bug), other peers I'm not sure but two different peers had the same problem in last few weeks
thanks
Hubert
Sent from my iPhone
On Jan 21, 2016, at 11:00, HubertW <[email protected]> wrote:
recently we upgraded software to 9.1(6)11 due to last IKE vulnerability and since then it didnt' happen again, let's see
DPD has also helped solve this problem for me in the past.
Basically both peers aren't agreeing on SPIs to encrypt/decrypt due to stale information.
Correct, but technically speaking yhe router should be smart enough and start the renegotiation when that happens; however due to bad coding or bugs it's not always the case; thus better off to run DPD so if the peer is gone the stale SA is also deleted.