VPN tunnel ASA5510 to CheckPoint - 402116 error

Unanswered Question
Nov 9th, 2007
User Badges:

Hi,


We are receiving the following messages constantly in the ASA5510. I don't see any problem on the CheckPoint side. I did see the other posts about this error but I can't determine the source of the problem. I think it has to do with the way the CheckPoint appears to the ASA in some packets. Checkpoint's virtual ip is x.x.x.222 but the device's real addr is x.x.x.223. The tunnel forms with x.x.x.222 but something seems to want to talk to x.x.x.223. Not sure what to do. I did try adding x.x.x.223 to the crypto access list and applying the chg, but I never see it on the "sh crypto ipsec sa" output. Looking for help/guidance. Thank you!


%ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0xA7245819, sequence number= 0x6B8D) from x.x.x.222 (user= x.x.x.222) to x.x.x.192. The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as x.x.x.192, its source as x.x.x.223, and its protocol as 1. The SA specifies its local proxy as x.x.x.192/255.255.255.255/0/0 and its remote_proxy as 172.x.x.0/255.255.255.0/0/0.


Outside int addr on ASA5510= x.x.x.192

Outside int addr on CheckPoint=x.x.x.222 (virtual), x.x.x.223 (real)


Segment behind CheckPoint = 172.x.x.0/24 (this is where syslogs are sent)



# sh crypto ipsec sa

interface: Internet


Crypto map tag: Internet_map, seq num: 1, local addr: x.x.x.192


access-list Internet_1_cryptomap permit ip interface Internet 172.x.x.0 255.255.255.0

local ident (addr/mask/prot/port): (x.x.x.192/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (172.x.x.0/255.255.255.0/0/0)

current_peer: x.x.x.222


#pkts encaps: 57198, #pkts encrypt: 57198, #pkts digest: 57198

#pkts decaps: 28401, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 57198, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 2, #recv errors: 28401


local crypto endpt.: x.x.x.192, remote crypto endpt.: x.x.x.222


path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: 4EE644C1


inbound esp sas:

spi: 0xA7245819 (2804176921)

transform: esp-3des esp-sha-hmac none

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 2, crypto-map: Internet_map

sa timing: remaining key lifetime (kB/sec): (4275000/26019)

IV size: 8 bytes

replay detection support: Y

outbound esp sas:

spi: 0x4EE644C1 (1323713729)

transform: esp-3des esp-sha-hmac none

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 2, crypto-map: Internet_map

sa timing: remaining key lifetime (kB/sec): (4246143/26019)

IV size: 8 bytes

replay detection support: Y


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
calterio Fri, 11/09/2007 - 12:00
User Badges:

I was able to stop the messages by removing the logging statement to the device on the 172.x.x.0/24 network. This device is not powered up right now, so apparently this was causing the errors.

Actions

This Discussion