cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
812
Views
0
Helpful
1
Replies

VPN tunnel ASA5510 to CheckPoint - 402116 error

calterio
Level 1
Level 1

Hi,

We are receiving the following messages constantly in the ASA5510. I don't see any problem on the CheckPoint side. I did see the other posts about this error but I can't determine the source of the problem. I think it has to do with the way the CheckPoint appears to the ASA in some packets. Checkpoint's virtual ip is x.x.x.222 but the device's real addr is x.x.x.223. The tunnel forms with x.x.x.222 but something seems to want to talk to x.x.x.223. Not sure what to do. I did try adding x.x.x.223 to the crypto access list and applying the chg, but I never see it on the "sh crypto ipsec sa" output. Looking for help/guidance. Thank you!

%ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0xA7245819, sequence number= 0x6B8D) from x.x.x.222 (user= x.x.x.222) to x.x.x.192. The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as x.x.x.192, its source as x.x.x.223, and its protocol as 1. The SA specifies its local proxy as x.x.x.192/255.255.255.255/0/0 and its remote_proxy as 172.x.x.0/255.255.255.0/0/0.

Outside int addr on ASA5510= x.x.x.192

Outside int addr on CheckPoint=x.x.x.222 (virtual), x.x.x.223 (real)

Segment behind CheckPoint = 172.x.x.0/24 (this is where syslogs are sent)

# sh crypto ipsec sa

interface: Internet

Crypto map tag: Internet_map, seq num: 1, local addr: x.x.x.192

access-list Internet_1_cryptomap permit ip interface Internet 172.x.x.0 255.255.255.0

local ident (addr/mask/prot/port): (x.x.x.192/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (172.x.x.0/255.255.255.0/0/0)

current_peer: x.x.x.222

#pkts encaps: 57198, #pkts encrypt: 57198, #pkts digest: 57198

#pkts decaps: 28401, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 57198, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 2, #recv errors: 28401

local crypto endpt.: x.x.x.192, remote crypto endpt.: x.x.x.222

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: 4EE644C1

inbound esp sas:

spi: 0xA7245819 (2804176921)

transform: esp-3des esp-sha-hmac none

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 2, crypto-map: Internet_map

sa timing: remaining key lifetime (kB/sec): (4275000/26019)

IV size: 8 bytes

replay detection support: Y

outbound esp sas:

spi: 0x4EE644C1 (1323713729)

transform: esp-3des esp-sha-hmac none

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 2, crypto-map: Internet_map

sa timing: remaining key lifetime (kB/sec): (4246143/26019)

IV size: 8 bytes

replay detection support: Y

1 Reply 1

calterio
Level 1
Level 1

I was able to stop the messages by removing the logging statement to the device on the 172.x.x.0/24 network. This device is not powered up right now, so apparently this was causing the errors.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: