ASA Site-to-Site IKEv1 IPSec VPN recv errors

On a Cisco ASA device, receive errors on an IKEv1 IPSec VPN tunnel usually increase when one of the tests performed during the decapsulation of the ESP fails. These include:

  • Anti-replay out of window errors
  • Digest errors (packet corrupted)
  • Invalid decapsulation length/SA/protocol
  • Any other decapsulation failure

To determine the specific reason for a receive error, the use of various debug commands is necessary such as:

debug crypto ipsec debug crypto isakmp

For additional troubleshooting tips, take a look at ASA troubleshooting IPSec.