A network engineer is troubleshooting an IPsec site-to-site VPN where the tunnel is up and traffic is flowing, but the engineer notices that the 'show crypto ipsec sa' output shows the 'pkts encaps failed' counter incrementing slowly over time. The tunnel remains up. What is the most likely cause?
Correct because if a floating static route (with a higher administrative distance) becomes active for some traffic, those packets will be sent out the physical interface without encryption, causing encapsulation failures.
Why this answer
A slow but steady increase in 'pkts encaps failed' indicates that some packets that should be encrypted are not being encrypted. This is often caused by a routing issue where some traffic to the remote LAN is being routed out an interface that does not have the crypto map, bypassing encryption.