Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

VPN Site - Site syslog errors

Hi,

I've just had a hand in setting up two remote sites to connect to our main site through vpn. Everything appears to be working fine however I am getting an error showing on my syslog server along the lines of:

Identity doesn't match negotiated identity ip dest (ip) source (remote ip) prot:icmp ident local remote ranges

Any idea's?

Thanks for your time.

Andy

2 REPLIES
New Member

Re: VPN Site - Site syslog errors

It means that traffic is being sent via icmp that doesn't match your access list specified as interesting traffic so its being dropped. Possible your access-list used for interesting traffic do not mirror each other identically. Could be the subnets you are using or perhaps by protocol. For example you have on one side pixA:

access-list 100 permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0

and pixB:

access-list 100 permit 192.168.1.0 255.255.255.0 10.0.0.0 255.0.0.0

So sending traffic from A to B is no problem cause the class C subnet falls with in the class a of pixB. But when sending traffic from pixB to pixA, pixA is more restrictive so it doesn't match.

Kurtis Durrett

New Member

Re: VPN Site - Site syslog errors

cheers for your help. The other firewall is a netscreen box, so I assume it will be different to our setup anyway - which as you say would be the answer.

Andy

101
Views
0
Helpful
2
Replies
CreatePlease to create content