Received encrypted packet with no matching SA, dropping

Unanswered Question
Jul 3rd, 2008
User Badges:

Hi, I have setup ASA 5505 and on other site we are using songate FW and I have setup Tunnel between both devices and when I run this command sh isakmp then it shows the Tunnel status is active but when I try to ping any divice or try to open any server then it doesn't respond. I checked the asdm logs and found "Received encrypted packet with no matching SA, dropping" this error. Please advice. Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
a.alekseev Thu, 07/03/2008 - 20:37
User Badges:
  • Gold, 750 points or more

sh crypto isa sa

sh crypto ipsec sa

ray_stone Sat, 07/05/2008 - 03:14
User Badges:

I have used both above commands and it shows me that the Tunnel is in Active mode. And only for the time being, I am able to ping the other site servers otherwise not. Please advice. I checked logs and found :- Received encrypted packet with no matching SA, dropping.... Please advice

nomair_83 Sun, 07/06/2008 - 09:26
User Badges:
  • Bronze, 100 points or more


Make sure your lifetime is same on both sides..and sysopt conn ipsec is permit.

a.alekseev Sun, 07/06/2008 - 09:59
User Badges:
  • Gold, 750 points or more

show the configurations on both sides.

cisco24x7 Sun, 07/06/2008 - 14:57
User Badges:
  • Silver, 250 points or more

You mentioned that you have Stonegate firewall

on the other side? Is that correct?

If this is the case, Stonegate uses Checkpoint

technologies. Therefore, I kinda suspect that

it supper-net the network on its end and send

it over to Cisco. That will definitely break


Checkpoint the vpn encryption on the

stonegate's side and make sure that you do

not have super-net on stonegate. I am not

familiar with Stonegate but in Checkpoint,

you modified the parameter

"IKE_largest_possible_subnet" from true to

false. You can also modify the

$FWDIR/conf/user.def file and make sure you

include the networks behind stonegate


What version of stonegate are you running?


This Discussion