Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Received encrypted packet with no matching SA, dropping

Hi, I have setup ASA 5505 and on other site we are using songate FW and I have setup Tunnel between both devices and when I run this command sh isakmp then it shows the Tunnel status is active but when I try to ping any divice or try to open any server then it doesn't respond. I checked the asdm logs and found "Received encrypted packet with no matching SA, dropping" this error. Please advice. Thanks.

6 REPLIES

Re: Received encrypted packet with no matching SA, dropping

sh crypto isa sa

sh crypto ipsec sa

New Member

Re: Received encrypted packet with no matching SA, dropping

I have used both above commands and it shows me that the Tunnel is in Active mode. And only for the time being, I am able to ping the other site servers otherwise not. Please advice. I checked logs and found :- Received encrypted packet with no matching SA, dropping.... Please advice

New Member

Re: Received encrypted packet with no matching SA, dropping

Please advice....

New Member

Re: Received encrypted packet with no matching SA, dropping

Hi,

Make sure your lifetime is same on both sides..and sysopt conn ipsec is permit.

Re: Received encrypted packet with no matching SA, dropping

show the configurations on both sides.

Silver

Re: Received encrypted packet with no matching SA, dropping

You mentioned that you have Stonegate firewall

on the other side? Is that correct?

If this is the case, Stonegate uses Checkpoint

technologies. Therefore, I kinda suspect that

it supper-net the network on its end and send

it over to Cisco. That will definitely break

VPN.

Checkpoint the vpn encryption on the

stonegate's side and make sure that you do

not have super-net on stonegate. I am not

familiar with Stonegate but in Checkpoint,

you modified the parameter

"IKE_largest_possible_subnet" from true to

false. You can also modify the

$FWDIR/conf/user.def file and make sure you

include the networks behind stonegate

firewall.

What version of stonegate are you running?

16568
Views
0
Helpful
6
Replies