11-09-2007 11:10 AM - edited 02-21-2020 03:22 PM
Hi,
We are receiving the following messages constantly in the ASA5510. I don't see any problem on the CheckPoint side. I did see the other posts about this error but I can't determine the source of the problem. I think it has to do with the way the CheckPoint appears to the ASA in some packets. Checkpoint's virtual ip is x.x.x.222 but the device's real addr is x.x.x.223. The tunnel forms with x.x.x.222 but something seems to want to talk to x.x.x.223. Not sure what to do. I did try adding x.x.x.223 to the crypto access list and applying the chg, but I never see it on the "sh crypto ipsec sa" output. Looking for help/guidance. Thank you!
%ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0xA7245819, sequence number= 0x6B8D) from x.x.x.222 (user= x.x.x.222) to x.x.x.192. The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as x.x.x.192, its source as x.x.x.223, and its protocol as 1. The SA specifies its local proxy as x.x.x.192/255.255.255.255/0/0 and its remote_proxy as 172.x.x.0/255.255.255.0/0/0.
Outside int addr on ASA5510= x.x.x.192
Outside int addr on CheckPoint=x.x.x.222 (virtual), x.x.x.223 (real)
Segment behind CheckPoint = 172.x.x.0/24 (this is where syslogs are sent)
# sh crypto ipsec sa
interface: Internet
Crypto map tag: Internet_map, seq num: 1, local addr: x.x.x.192
access-list Internet_1_cryptomap permit ip interface Internet 172.x.x.0 255.255.255.0
local ident (addr/mask/prot/port): (x.x.x.192/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (172.x.x.0/255.255.255.0/0/0)
current_peer: x.x.x.222
#pkts encaps: 57198, #pkts encrypt: 57198, #pkts digest: 57198
#pkts decaps: 28401, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 57198, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 2, #recv errors: 28401
local crypto endpt.: x.x.x.192, remote crypto endpt.: x.x.x.222
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 4EE644C1
inbound esp sas:
spi: 0xA7245819 (2804176921)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 2, crypto-map: Internet_map
sa timing: remaining key lifetime (kB/sec): (4275000/26019)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x4EE644C1 (1323713729)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 2, crypto-map: Internet_map
sa timing: remaining key lifetime (kB/sec): (4246143/26019)
IV size: 8 bytes
replay detection support: Y
11-09-2007 12:00 PM
I was able to stop the messages by removing the logging statement to the device on the 172.x.x.0/24 network. This device is not powered up right now, so apparently this was causing the errors.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: