IPSEC Tunnel Phase 2 Traffic is not encrypted

(Michael K) #1

Hi Rene,
Just configured a site 2 site VPN tunnel and its shows up and active but realized the traffic passing is not encrypted.
when you do “show cry ipsec sa” the encrypt and decrypt packets are zero they do not increase at all and I had a continue ping running across the VPN.

Is there anything that will be responsible for this behavior? I feel its a NAT issue but i cant figure it quite well. I do have a dynamic NAT on the Outside interface and a more specific one for the local and remote site subnet.
I will need your advice on what to look at or do.


(Lazaros Agapides) #2

Hello Michael

If the ASA is not encrypting this traffic it could be because there’s a problem with the NAT configuration as you mentioned.

When the ASA receives a packet, it will first check if there is an ACLs that allows the traffic, then it will pass it through inspection engines and check if there is any NAT associated with it. If for example the packet is being NATed, then the encryption will never take place.

First of all, make sure that the packets from the remote network are really reaching the ASA, and that the NAT rule is correct. Also, try taking a look at ‘‘debug cry isa 127’’ and ‘‘debug cry ips 127’’ debugs to check for any errors.

Take a look at this lesson for more insight:

And take a look at some of the previous responses in the forum, you may find some info that is useful, such as the following:

I hope this has been helpful!


(Michael K) #3

Thanks for your inputs, I figure out the issue and has being resolved. It was a layer 1 issue, cables on one of the host weren’t properly connected.