{"id":803,"date":"2013-09-01T00:00:00","date_gmt":"2013-09-01T00:00:00","guid":{"rendered":"https:\/\/fir3netwp.gmsrrpobkbd.com\/2013\/09\/01\/asa-vpn-traffic-is-not-being-encrypted-cscsd48512\/"},"modified":"2021-07-24T17:20:18","modified_gmt":"2021-07-24T17:20:18","slug":"asa-vpn-traffic-is-not-being-encrypted-cscsd48512","status":"publish","type":"post","link":"https:\/\/www.fir3net.com\/Firewalls\/Cisco\/asa-vpn-traffic-is-not-being-encrypted-cscsd48512.html","title":{"rendered":"ASA – VPN Traffic is not being encrypted (CSCsd48512)"},"content":{"rendered":"
Traffic is sent out from the ASA unencrypted.<\/p>\n
This can be caused by a duplicate (stale) ASP crypto table entry, this prevents the ASA encrypting any traffic destined for the remote host.
There are 2 commands which shows this behaviour. They are,<\/p>\n
Interface outside:
!
out id=0xd616fff0, priority=70, domain=encrypt, deny=false
hits=855899, user_data=0x473ccf4, cs_id=0xd5deba08, reverse, flags=0x0, protocol=0
src ip=192.168.100.0, mask=255.255.255.0, port=0
dst ip=172.16.1.0, mask=255.255.255.0, port=0, dscp=0x0
out id=0xd1592dd0, priority=70, domain=encrypt, deny=false
hits=0, user_data=0x4bed13c, cs_id=0xd5deba08, reverse, flags=0x0, protocol=0
src ip=192.168.100.0, mask=255.255.255.0, port=0
dst ip=172.16.1.0, mask=255.255.255.0, port=0, dscp=0x0<\/pre>\nNote :<\/strong> Details of this bug can also be viewed within CSCsd48512 (Duplicate ASP crypto table entry causes firewall to not encrypt traffic)<\/em><\/p>\n
Solution<\/strong><\/h2>\n
There are 2 solutions to this issue,<\/p>\n
\n
- Reboot the firewall.<\/li>\n
- Upgrade the firewall to a version 7.0(4.13), 7.2(0.46), 7.1(2.1), 7.0(5), 7.2(1) or 8.0(0.1).<\/li>\n<\/ol>\n
Additional References<\/strong><\/h2>\n
CSCsh48962 – Duplicate ASP table entry causes FW to encrypt traffic with invalid SPI.
CSCso50996 – ASA dropping the packet instead of encrypting it.<\/p>\n","protected":false},"excerpt":{"rendered":"Issue Traffic is sent out from the ASA unencrypted. Cause This can be caused by a duplicate (stale) ASP crypto table entry, this prevents the ASA encrypting any traffic destined for the remote host. There are 2 commands which shows this behaviour. They are, Interface outside:!out id=0xd616fff0, priority=70, domain=encrypt, deny=false hits=855899, user_data=0x473ccf4, cs_id=0xd5deba08, reverse, flags=0x0, … Read more<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11],"tags":[],"yoast_head":"\n
ASA - VPN Traffic is not being encrypted (CSCsd48512) - Fir3net<\/title>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\t\n\t\n\t\n