Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1646
Views
0
Helpful
2
Replies

Cisco ASA - %ASA-4-402120: IPSEC: Received an ESP packet

MoeBasheer
Level 1
Level 1

‎07-28-2015 03:23 AM - edited ‎02-21-2020 08:22 PM

Hi, 

 

I'm seeing VPN authentication failure  between local firewall going too two remote firewalls. We have other VPN connections existing on the local firewall to other remote firewalls but i'm not see authenication failed for their IPs.

 

Jul 28 2015 09:18:07: %ASA-4-402120: IPSEC: Received an ESP packet (SPI= 0xB7D49FAC, sequence number= 0xFC6D) from vpn_peer1 (user= 172.30.6.132) to 172.30.6.12 that failed authentication.
Jul 28 2015 09:18:07: %ASA-4-402120: IPSEC: Received an ESP packet (SPI= 0x4E380674, sequence number= 0x1117CD) from 1vpn_peer1  (user= XX.XX.XX.20) to 172.30.6.12 that failed authentication.

 

I have checked the VPN access list and they match on both side. I'm are currently running 8.3(2). 

 

We cleared the tunnel but that didn't help.

 

Has anyone come across this before and found a solution. 

 

Regards, 

 

Mohammed 

 

 

crypto map np-cmap-outside 6 match address noc-vpn-acl
crypto map np-cmap-outside 6 set peer vpn_peer1
crypto map np-cmap-outside 6 set transform-set np-trans1-vc6-tunnel1-IzXR
crypto map np-cmap-outside 6 set security-association lifetime seconds 28800
crypto map np-cmap-outside 6 set security-association lifetime kilobytes 4608000
crypto map np-cmap-outside 8 match address hawaii-vpn-acl
crypto map np-cmap-outside 8 set peer vpn_peer2
crypto map np-cmap-outside 8 set transform-set hw-trans
crypto map np-cmap-outside 8 set security-association lifetime seconds 28800
crypto map np-cmap-outside 8 set security-association lifetime kilobytes 4608000

tunnel-group XX.XX.XX.20 type ipsec-l2l
tunnel-group XX.XX.XX.20 ipsec-attributes
 pre-shared-key *****
 isakmp keepalive threshold 120 retry 2

tunnel-group XX.XX.XX.132 type ipsec-l2l
tunnel-group XX.XX.XX.132 ipsec-attributes
 pre-shared-key *****
 isakmp keepalive threshold 120 retry 2

 

 

 

 

 

 

Labels:
0 Helpful
2 Replies 2

Douglas Holmes
Level 1
Level 1

‎07-28-2015 06:54 AM

Not sure there is enough information to answer.  The fact that you are receiving ESP packets should mean that the other side of the connection is fully authenticated and therefore sending ESP.   You cleared the tunnel but on which side was it cleared "remote or local"? 

0 Helpful

MoeBasheer
Level 1
Level 1
In response to Douglas Holmes

‎07-28-2015 08:49 AM

 

Thank you for taking the time to assist me.

 

Tunnel was cleared from the local firewall. The remote firewall is not reporting any kind of authentication failure on their logs.

 

I'm able to ping the remote firewall, even some IP address that exists on certain SPI subnets on the remote side. So I'm guessing the authentication failure applies to some packet and not every signal packet that is transported through VPN.

 

Many Thanks

 

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents