×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Error: The decapsulated inner packet doesn't match the negotiated policy in the SA

Unanswered Question
Jan 15th, 2012
User Badges:

I upgraded my ASA from 8.2(1) to 8.4(3) as I wanted to try to get Android devices to properly connect via VPN.


After some effort, I was able to get the Android devices to connect via VPN.  However, my syslog server has a number of errors recorded that look this this:


%ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0x1E76EFA6, sequence number= 0x1F0) from x.x.x.x (user= testuser) to y.y.y.y.  The decapsulated inner packet doesn't match the negotiated policy in the SA.  The packet specifies its destination as z.z.z.z, its source as a.a.a.a, and its protocol as tcp.  The SA specifies its local proxy as y.y.y.y/255.255.255.255/udp/42246 and its remote_proxy as x.x.x.x/255.255.255.255/udp/0.


Digging further, it seems this error might be due to a NAT issues with the VPN connections.  VPN previously worked with Cisco's VPN client on Windows, though I did not test to see if that is no longer working.  However, I made no changes in the config, except for those related to additions needed to support L2TP.  With the below config, Android clients can connect to the ASA and access the internal network, but they cannot connect to external addresses.  I'm at a loss.


The addresses used in the config: 192.168.1.0/24 are on the internal LAN and 192.168.3.0/24 are addresses assigned to VPN clients.


I noted in the config this line:

access-list inside_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.0


The access list is not referenced anywhere, though it was referenced in the 8.2(1) config like this:

nat (inside) 0 access-list inside_nat0_outbound


I'm not sure what else changed, but I've looked over the config and I just cannot see what the issue might be.  I'm hoping somebody might be able to point out my error.


Here's the config file (at least the parts that might be of interest):


: Saved

:

ASA Version 8.4(3)

!

...

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

boot system disk0:/asa843-k8.bin

object network obj-192.168.3.0

subnet 192.168.3.0 255.255.255.0

object network obj_any

subnet 0.0.0.0 0.0.0.0

access-list outside_access_in extended permit icmp any interface outside time-exceeded

access-list outside_access_in extended permit icmp any interface outside echo-reply

access-list outside_access_in extended permit icmp any interface outside unreachable

access-list outside_mpc extended permit ip any interface outside

access-list inside_mpc extended permit ip 192.168.1.0 255.255.255.0 any

access-list testVPN_splitTunnelAcl extended permit ip 192.168.1.0 255.255.255.0 any

access-list inside_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.0

ip local pool VPN-Pool-1 192.168.3.1-192.168.3.254 mask 255.255.255.0

ip verify reverse-path interface outside

nat (inside,any) source static any any destination static obj-192.168.3.0 obj-192.168.3.0 no-proxy-arp

!

object network obj-192.168.3.0

nat (outside,outside) dynamic interface

object network obj_any

nat (inside,outside) dynamic interface

access-group outside_access_in in interface outside

!

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANSP esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANSP mode transport

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANSP esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANSP mode transport

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 10 set ikev1 transform-set ESP-AES-128-SHA-TRANSP ESP-3DES-SHA-TRANSP

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ikev1 enable outside

crypto ikev1 policy 5

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400


group-policy testVPN internal

group-policy testVPN attributes

wins-server value 192.168.1.8

dns-server value 192.168.1.8 192.168.1.4

vpn-idle-timeout none

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelspecified

split-tunnel-network-list value testVPN_splitTunnelAcl

default-domain value test.us

group-policy testVPNnsl2tp internal

group-policy testVPNnsl2tp attributes

wins-server value 192.168.1.8

dns-server value 192.168.1.8 192.168.1.4

vpn-idle-timeout none

vpn-tunnel-protocol l2tp-ipsec

group-policy testVPNns internal

group-policy testVPNns attributes

wins-server value 192.168.1.8

dns-server value 192.168.1.8 192.168.1.4

vpn-idle-timeout none

vpn-tunnel-protocol ikev1

username testuser password PASSWORD encrypted privilege 15

username testuser2 password PASSWORD nt-encrypted privilege 15

tunnel-group DefaultRAGroup general-attributes

address-pool VPN-Pool-1

default-group-policy testVPNnsl2tp

tunnel-group DefaultRAGroup ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group DefaultRAGroup ppp-attributes

authentication ms-chap-v2

tunnel-group testVPN type remote-access

tunnel-group testVPN general-attributes

address-pool VPN-Pool-1

default-group-policy testVPN

tunnel-group testVPN ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group testVPNns type remote-access

tunnel-group testVPNns general-attributes

address-pool VPN-Pool-1

default-group-policy testVPNns

tunnel-group testVPNns ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group testVPNnsl2tp type remote-access

tunnel-group testVPNnsl2tp general-attributes

address-pool VPN-Pool-1

default-group-policy testVPNnsl2tp

tunnel-group testVPNnsl2tp ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group testVPNnsl2tp ppp-attributes

authentication ms-chap-v2


One last question: in order to get the connection from Android to work, I was forced to use "tunnel-group DefaultRAGroup".  Is that actually a limitation, or did I make an error that forced that requirement?  I wanted to use "tunnel-group testVPNnsl2tp".


Thanks!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
cflory Mon, 01/16/2012 - 13:17
User Badges:
  • Bronze, 100 points or more

"The decapsulated inner packet doesn't match the negotiated policy in the SA" sounds more like a mismatch in your ACL's specifying local and remote networks, most likely related to the NAT change (as you eluded to).


Looking at the config:


access-list testVPN_splitTunnelAcl extended permit ip 192.168.1.0 255.255.255.0 any

access-list inside_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.0

ip local pool VPN-Pool-1 192.168.3.1-192.168.3.254 mask 255.255.255.0


With the first line, you're defining your 'encryption domain' (192.168.1.0/24).  However, on the third line, your pool is defining 192.168.3.0/24, as the assigned addresses allowed for this connection.


Probably the easiest thing to do would be to change the 'testVPN_splitTunnelAcl' to match your 'VPN-Pool-1' assignments.


Thus: "access-list testVPN_splitTunnelAcl extended permit ip 192.168.3.0 255.255.255.0 any"


HTH!


-Chris

paul_e_jones Mon, 01/16/2012 - 16:40
User Badges:

Chris,


You might be correct that the access-list defined for split tunneling is an issue, but that's a separate issue.  The "testVPN_splitTunnelAcl" access list is used only with the VPN named testVPN.


The VPN tunnel group name that is being used with the Android device is named "DefaultRAGroup".  That uses the policy "testVPNnsl2tp".  So, the access list you mention should not come into play.  I removed it (just to be sure), but there was no affect, as I suspected.


I do believe the issue I am seeing with these error messages might be related to NAT rules and I may need a new access list defined, as well.  I just don't know what those rules should be.


Paul

cflory Mon, 01/16/2012 - 19:29
User Badges:
  • Bronze, 100 points or more

Paul,


Thanks for the additional information.  Ok, for your "DefaultRAGroup" tunnel-group, you are correct, you will need an ACL to allow connectivity for your Android devices.


As an example, you could use the following:


"access-list Android_VPN extended permit ip object-group obj_any object-group obj-192.168.3.0"


The object groups in bold above are defined already by your config. 



Then you should have a crypto map reference that ACL:


crypto map Android 10 match address Android_VPN

crypto map Android 10 set pfs group5

crypto map Android 10 set peer

crypto map Android 10 set ikev1 transform-set ESP-AES-256-SHA



and then, your group-policy should reference the network list ACL:


group-policy testVPNnsl2tp attributes

split-tunnel-network-list value Android_VPN


and that should match up with your tunnel-group:


tunnel-group DefaultRAGroup general-attributes

address-pool VPN-Pool-1

default-group-policy testVPNnsl2tp



I have checked my configs on 8.4(3), as a sanity check.  I believe I have included everything.


-Chris

paul_e_jones Tue, 01/17/2012 - 15:05
User Badges:

Chris,


This is still a bit off the mark.  I think I might be confusing the issue by including some of the VPN configuration that I had previously installed and working (e.g., two other VPN tunnel groups with split tunneling on one of them).  Let's just remove that stuff from consideration.  I actually tested the current configs just to see if they are working since the upgrade.  testVPN is working with the split tunneling, but testVPNns (no-split tunneling) does not allow external access.  I guess there is a NAT config issue there, too, but not sure what it is, yet.  I've not investigated that closely.


I want to solve one problem at a time, though I understand there are some interdependencies.


What I'd like to focus on right now is just the L2TP VPN connection.


From what I've been able to understand from the documentation, what I need are these lines:


crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANSP esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANSP mode transport

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANSP esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANSP mode transport

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 10 set ikev1 transform-set ESP-AES-128-SHA-TRANSP ESP-3DES-SHA-TRANSP

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ikev1 enable outside

group-policy testVPNnsl2tp internal

group-policy testVPNnsl2tp attributes

wins-server value 192.168.1.8

dns-server value 192.168.1.8 192.168.1.4

vpn-idle-timeout none

vpn-tunnel-protocol l2tp-ipsec

tunnel-group DefaultRAGroup general-attributes

address-pool VPN-Pool-1

default-group-policy testVPNnsl2tp

tunnel-group DefaultRAGroup ipsec-attributes

ikev1 pre-shared-key P74bmqL6rT40bl5

tunnel-group DefaultRAGroup ppp-attributes

authentication ms-chap-v2

crypto ikev1 policy 5

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400


I still want to assign the IP addresses to VPN clients out of 192.168.3.0/24.


The tricky part is understanding exactly what NAT rules to insert and to avoid that error message I'm getting relatred to the encapsulated packets.  I tried to introduce the commands you had, but it's missing stuff that I would need for L2TP/IPSec (e.g., "mode transport").  I also don't think I want "pfs group5".  The above config "works" in that I get connected -- all negotiation is done.  It's just that packets from the VPN client are not able to go out to the Internet and I'm seeing that encapsulation error messages when I try to send a packet.


Paul

curhed Wed, 04/04/2012 - 14:17
User Badges:

Hi


I got the same error %ASA-4-402116 when upgraded ASA5520 release from 8.4.(2)8 into 8.4(3)8. When downgraded back with same configuration, it worked again.


I'm using EasyVPN 5.0 and AnyConnect 3.0 (IPsec/IKEv2) with similar policies, same IP pool/tunnel-all, and only AnyConnect was affected.


Br, Toni

Actions

This Discussion