Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

VPN Site - Site syslog errors


I've just had a hand in setting up two remote sites to connect to our main site through vpn. Everything appears to be working fine however I am getting an error showing on my syslog server along the lines of:

Identity doesn't match negotiated identity ip dest (ip) source (remote ip) prot:icmp ident local remote ranges

Any idea's?

Thanks for your time.


New Member

Re: VPN Site - Site syslog errors

It means that traffic is being sent via icmp that doesn't match your access list specified as interesting traffic so its being dropped. Possible your access-list used for interesting traffic do not mirror each other identically. Could be the subnets you are using or perhaps by protocol. For example you have on one side pixA:

access-list 100 permit ip

and pixB:

access-list 100 permit

So sending traffic from A to B is no problem cause the class C subnet falls with in the class a of pixB. But when sending traffic from pixB to pixA, pixA is more restrictive so it doesn't match.

Kurtis Durrett

New Member

Re: VPN Site - Site syslog errors

cheers for your help. The other firewall is a netscreen box, so I assume it will be different to our setup anyway - which as you say would be the answer.


CreatePlease to create content