Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
292
Views
0
Helpful
2
Replies

VPN Site - Site syslog errors

agoodwin
Level 1
Level 1

‎11-21-2002 09:04 AM - edited ‎02-21-2020 12:11 PM

Hi,

I've just had a hand in setting up two remote sites to connect to our main site through vpn. Everything appears to be working fine however I am getting an error showing on my syslog server along the lines of:

Identity doesn't match negotiated identity ip dest (ip) source (remote ip) prot:icmp ident local remote ranges

Any idea's?

Thanks for your time.

Andy

Labels:
0 Helpful
2 Replies 2

kdurrett
Level 3
Level 3

‎11-21-2002 09:23 AM

It means that traffic is being sent via icmp that doesn't match your access list specified as interesting traffic so its being dropped. Possible your access-list used for interesting traffic do not mirror each other identically. Could be the subnets you are using or perhaps by protocol. For example you have on one side pixA:

access-list 100 permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0

and pixB:

access-list 100 permit 192.168.1.0 255.255.255.0 10.0.0.0 255.0.0.0

So sending traffic from A to B is no problem cause the class C subnet falls with in the class a of pixB. But when sending traffic from pixB to pixA, pixA is more restrictive so it doesn't match.

Kurtis Durrett

0 Helpful

agoodwin
Level 1
Level 1
In response to kdurrett

‎11-29-2002 03:46 AM

cheers for your help. The other firewall is a netscreen box, so I assume it will be different to our setup anyway - which as you say would be the answer.

Andy

0 Helpful
Customers Also Viewed These Support Documents