VPN Tunnel Error

Unanswered Question
May 5th, 2007

I have successfully established a site to site VPN tunnel with a Cisco ASA 5505 and a Symantec Gateway 460R. However, the Cisco ASA log is mpushing out tons of this severity 4 log message:

"IPSEC: Received an ESP packet (SPI= 0x5E4FE6BC, sequence number= 0xD7) from 24.249.107.28 (user= 24.249.107.28) to 24.124.37.98. The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as 63.149.181.130, its source as 10.4.167.105, and its protocol as 17. The SA specifies its local proxy as 192.168.1.0/255.255.255.0/0/0 and its remote_proxy as 10.4.167.0/255.255.255.0/0/0."

Any ideas what would be causing this?

Kev

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ggilbert Mon, 05/07/2007 - 08:05

Kev,

Check the ACL configured on the ASA 5505 to match with the symantec gateway.

On your ASA, the ACL was configured between 192.168.1.x/24 network to 10.4.167.x/24 network. But the packet was received from the address 10.4.167.105 to the address 63.149.181.130, which I believe doesnt belong in your encryption ACL.

Seems like the packet that was received from the symantec gateway does not match the ACL that is configured on the ASA 5505.

Which device has the IP Address 63.149.181.130?

Rate this post, if it helps.

Cheers

Gilbert

Pwcjayhawk1 Mon, 05/07/2007 - 08:14

The 63.149.181.130 IP belongs to a company that hosts our data images, and its quite regular for the PC's on the Symantec Gateway side to be communicating with it. The wierd thing is that the 10.4.167.105 address is a domain controller, so somehow, communication with the 63.149.181.130 is being routed thru the domain controller and then sent over the encypted VPN to to the ASA 5505.

ggilbert Mon, 05/07/2007 - 08:26

Kevin,

Atleast you know what is happening now and you can proceed in the right direction.

Rate this post, if it helps.

Cheers

Gilbert

Actions

This Discussion