VPN Tunnel Error

Unanswered Question
May 5th, 2007

I have successfully established a site to site VPN tunnel with a Cisco ASA 5505 and a Symantec Gateway 460R. However, the Cisco ASA log is mpushing out tons of this severity 4 log message:

"IPSEC: Received an ESP packet (SPI= 0x5E4FE6BC, sequence number= 0xD7) from (user= to The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as, its source as, and its protocol as 17. The SA specifies its local proxy as and its remote_proxy as"

Any ideas what would be causing this?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ggilbert Mon, 05/07/2007 - 08:05


Check the ACL configured on the ASA 5505 to match with the symantec gateway.

On your ASA, the ACL was configured between 192.168.1.x/24 network to 10.4.167.x/24 network. But the packet was received from the address to the address, which I believe doesnt belong in your encryption ACL.

Seems like the packet that was received from the symantec gateway does not match the ACL that is configured on the ASA 5505.

Which device has the IP Address

Rate this post, if it helps.



Pwcjayhawk1 Mon, 05/07/2007 - 08:14

The IP belongs to a company that hosts our data images, and its quite regular for the PC's on the Symantec Gateway side to be communicating with it. The wierd thing is that the address is a domain controller, so somehow, communication with the is being routed thru the domain controller and then sent over the encypted VPN to to the ASA 5505.

ggilbert Mon, 05/07/2007 - 08:26


Atleast you know what is happening now and you can proceed in the right direction.

Rate this post, if it helps.




This Discussion