LAN-TO-LAN Error 402120

Unanswered Question
Sep 29th, 2010

Hi everybody.

We´re the following problem between an ASA5540 (7.2.3) Concentrator VPN in HQ and an ASA5510 (7.2.3) in Remote Office:
Code Error
%ASA-4-402120: IPSEC: Received an ESP packet (SPI= 0xB8EE870D, sequence number= 0x534B0) from x.x.x.x (user= x.x.x.x) to x.x.x.x that failed authentication.
Is established the tunnel and works, but we lost a lot off of packets by is drop en Remote ASA.
The tunnel is type Lan-to-Lan.   We have more vpn tunnel in the concentrator 5540 without this problem.
You have any suggestion?
Thanks in advanced.
Pablo Herrero Hernández
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
praprama Wed, 09/29/2010 - 08:31

Hi,

Details about this message can be seen in the below link:

http://www.cisco.com/cgi-bin/Support/Errordecoder/index.cgi?action=search&locale=en&index=all&query=%25ASA-4-402120&counter=0&paging=5&links=reference&sa=Submit

This message generally comes up when either there is a spoof or if the packets are getting corrupt from the HQ to Remote ASA. Are you seeing this message only on the Remote ASA? Are you still seeing those messages poping up or was it just for a while?

If you are still seeing the messages, please run "debug crypto ipsec 200" on the Remote ASA and see if you notice some errors there?

Also, to confirm if packets are indeed getting corrupt en route to Remote ASA, we can apply captures for ESP packets on the HQ and the Remote ASA and check with the sequence numbers (from the logs) to compare the HASH values. I owould suggest you to check that as well.

Please also have a check with the ISP with the above capture information if we indeed see  HASH mismatch.

Hope this helps!!

Thanks and Regards,

Prapanch

Actions

This Discussion