IPSec Traffic Being Discarded
41946
Created On 09/25/18 17:36 PM - Last Modified 06/08/23 08:59 AM
Resolution
Issue
The IPSec SA is up. The show vpn flow command shows 0 decap packets. The IPSec session in the session table shows discard-flow.
Cause
The IPSec packets coming into the PAN device were not ingressing the same interface where the IPSec tunnel was terminated, but instead entering on another interface and being routed to the tunnel. As a result, the IPSec session was in a discard-flow state and dropping all packets coming in on the VPN.
Resolution
The tunnel was moved to terminate directly on the ingress interface. The IPSec tunnel started seeing decap packet counters incrementing in the show vpn flow command ouput and traffic through the VPN worked fine.
owner: mrajdev