asa error message

Unanswered Question
Feb 4th, 2009

I'm seeing following error show up in my logs and wonder if someone could shed some light on exactly what it means. Thanks!

129.1xx.x.xx %ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0xC359311B, sequence number= 0x1) from 10.19x.x.x (user= user1) to 129.1xx.x.xx. The decapsulated inner packet doesn't mat

ch the negotiated policy in the SA. The packet specifies its destination as 192.xxx.xxx.115, its source as 10.19x.x.x, and its protocol as 1. The SA specifies its local proxy as 0.0.0.0/0.0.0.0/0/0 and its

remote_proxy as 192.xxx.xxx.117/255.255.255.255/0/0.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Tshi M Thu, 02/05/2009 - 06:22

please read below:

Error Message %PIX|ASA-4-402116: IPSEC: Received an protocol packet (SPI=spi, sequence

number= seq_num) from remote_IP (username) to local_IP . The decapsulated inner

packet doesn't match the negotiated policy in the SA. The packet specifies its

destination as pkt_daddr, its source as pkt_saddr, and its protocol as pkt_prot . The

SA specifies its local proxy as id_daddr /id_dmask /id_dprot /id_dport and its remote

proxy as id_saddr /id_smask /id_sprot /id_sport .

Explanation This message is displayed when a decapsulated IPSec packet does not match the negotiated identity. The peer is sending other traffic through this security association. It may be due to a security association selection error by the peer, or it may be part of an attack. This message is rate limited to no more than one message every five seconds.

protocol-IPSec protocol

spi-IPSec Security Parameters Index

seq_num-IPSec sequence number

remote_IP-IP address of the remote endpoint of the tunnel

username-Username associated with the IPSec tunnel

local_IP-IP address of the local endpoint of the tunnel

pkt_daddr-Destination address from the decapsulated packet

pkt_saddr-Source address from the decapsulated packet

pkt_prot-Transport protocol from the decapsulated packet

id_daddr-Local proxy IP address

id_dmask-Local proxy IP subnet mask

id_dprot-Local proxy transport protocol

id_dport-Local proxy port

id_saddr-Remote proxy IP address

id_smask-Remote proxy IP subnet mask

id_sprot-Remote proxy transport protocol

id_sport-Remote proxy port

Recommended Action Contact the peer administrator and compare policy settings.

esossamon Thu, 02/05/2009 - 07:41

Yes I found that but wanted to know if someone could explain why I'm only seeing this occur from one user.

Actions

This Discussion