LAN-TO-LAN Error 402120

seguridad.comunicaciones · ‎09-29-2010

Hi everybody.

We´re the following problem between an ASA5540 (7.2.3) Concentrator VPN in HQ and an ASA5510 (7.2.3) in Remote Office:

Code Error

%ASA-4-402120: IPSEC: Received an ESP packet (SPI= 0xB8EE870D, sequence number= 0x534B0) from x.x.x.x (user= x.x.x.x) to x.x.x.x that failed authentication.

Is established the tunnel and works, but we lost a lot off of packets by is drop en Remote ASA.

The tunnel is type Lan-to-Lan. We have more vpn tunnel in the concentrator 5540 without this problem.

You have any suggestion?

Thanks in advanced.

Pablo Herrero Hernández

praprama · ‎09-29-2010

Hi,

Details about this message can be seen in the below link:

http://www.cisco.com/cgi-bin/Support/Errordecoder/index.cgi?action=search&locale=en&index=all&query=%25ASA-4-402120&counter=0&paging=5&links=reference&sa=Submit

This message generally comes up when either there is a spoof or if the packets are getting corrupt from the HQ to Remote ASA. Are you seeing this message only on the Remote ASA? Are you still seeing those messages poping up or was it just for a while?

If you are still seeing the messages, please run "debug crypto ipsec 200" on the Remote ASA and see if you notice some errors there?

Also, to confirm if packets are indeed getting corrupt en route to Remote ASA, we can apply captures for ESP packets on the HQ and the Remote ASA and check with the sequence numbers (from the logs) to compare the HASH values. I owould suggest you to check that as well.

Please also have a check with the ISP with the above capture information if we indeed see HASH mismatch.

Hope this helps!!

Thanks and Regards,

Prapanch