ASA Site-to-Site IKEv1 IPSec VPN recv errors
On a Cisco ASA device, receive errors on an IKEv1 IPSec VPN tunnel usually increase when one of the tests performed during the decapsulation of the ESP fails. These include:
- Anti-replay out of window errors
- Digest errors (packet corrupted)
- Invalid decapsulation length/SA/protocol
- Any other decapsulation failure
To determine the specific reason for a receive error, the use of various debug commands is necessary such as:
debug crypto ipsec debug crypto isakmp
For additional troubleshooting tips, take a look at ASA troubleshooting IPSec.