Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3303
Views
0
Helpful
2
Replies

IPSEC:Received a non-IPSEC packet (protocol=ICMP) from <ip> to <ip>

Mubasher Sultan - 2x CCIE # 20149 (R&S | Sec)
Level 1
Level 1

‎06-27-2010 11:16 AM - edited ‎02-21-2020 04:42 PM

Hi,

I am creating a IPSEC VPN tunnel between Cisco ASA and Cisco Router.

On Router side, i have two outgoing interfaces to reach to ASA. So, i created a loopback interface and terminate the tunnel on Loopback and used the loopback interface as a local-address in the crypto map.

----------------------------------------------------------------------

crypto-map abcmap local-address loopback 10

int lo 10

crypto map abcmap

----------------------------------------------------------------------

I am running OSPF in the network. For the Routing issue, i created the route-map

---------------------------------------------------------------------

route-map IPSEC-VPN permit 10

match ip address crypto-acl

set interface loopback 10

access-list crypto-acl permit ip <site-a-lan> 0.0.0.255 <site-b-lan> 0.0.0.255

--------------------------------------------------------------------

Everything is working fine except that i am unable to ping the Router LAN interface from the Tunnel (ASA side) and receiving the syslog message (id = 402117) ; [IPSEC:Received a non-IPSEC packet (protocol=ICMP) from <ip> to <ip>]. Actually, this LAN interface is the source for the SNMP/ Syslog/ TACACS/ NTP etc...

Any comments please...

Regards,

Mubasher Sultan

Labels:
0 Helpful
2 Replies 2

Mubasher Sultan - 2x CCIE # 20149 (R&S | Sec)
Level 1
Level 1

‎06-27-2010 10:43 PM

Hi Experts,

Any comments please... Still i am facing the same issue...

Thanks,

Regards,

Mubasher

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to Mubasher Sultan - 2x CCIE # 20149 (R&S | Sec)

‎06-28-2010 12:14 AM

When you are trying to ping from the ASA end, how did you source the ping? If you are pinging from the ASA itself, and the crypto subnet is for example your inside interface, then you would need to source the ping from the inside interface as follows on the ASA:

ping inside

Otherwise, if you just perform ping as follows from the ASA:

ping

that would be sourced from the outside interface of the ASA.

Further to that, if you are trying to source SNMP, syslog, AAA from the inside interface of the ASA as it is part of the crypto ACL, you would need to specify the inside interface of the corresponding statements.

For example:

logging host inside

snmp-server host inside

aaa-server inside host

Hope that helps.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents