IPSEC:Received a non-IPSEC packet (protocol=ICMP) from <ip> to <ip>

Unanswered Question
Jun 27th, 2010


I am creating a IPSEC VPN tunnel between Cisco ASA and Cisco Router.

On Router side, i have two outgoing interfaces to reach to ASA. So, i created a loopback interface and terminate the tunnel on Loopback and used the loopback interface as a local-address in the crypto map.


crypto-map abcmap local-address loopback 10

int lo 10

crypto map abcmap


I am running OSPF in the network. For the Routing issue, i created the route-map


route-map IPSEC-VPN permit 10

match ip address crypto-acl

set interface loopback 10

access-list crypto-acl permit ip <site-a-lan> <site-b-lan>


Everything is working fine except that i am unable to ping the Router LAN interface from the Tunnel (ASA side) and receiving the syslog message (id = 402117) ; [IPSEC:Received a non-IPSEC packet (protocol=ICMP) from <ip> to <ip>]. Actually, this LAN interface is the source for the SNMP/ Syslog/ TACACS/ NTP etc...

Any comments please...


Mubasher Sultan

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jennifer Halim Mon, 06/28/2010 - 00:14

When you are trying to ping from the ASA end, how did you source the ping? If you are pinging from the ASA itself, and the crypto subnet is for example your inside interface, then you would need to source the ping from the inside interface as follows on the ASA:

ping inside

Otherwise, if you just perform ping as follows from the ASA:


that would be sourced from the outside interface of the ASA.

Further to that, if you are trying to source SNMP, syslog, AAA from the inside interface of the ASA as it is part of the crypto ACL, you would need to specify the inside interface of the corresponding statements.

For example:

logging host inside

snmp-server host inside

aaa-server inside host

Hope that helps.


This Discussion