We are receiving the following messages constantly in the ASA5510. I don't see any problem on the CheckPoint side. I did see the other posts about this error but I can't determine the source of the problem. I think it has to do with the way the CheckPoint appears to the ASA in some packets. Checkpoint's virtual ip is x.x.x.222 but the device's real addr is x.x.x.223. The tunnel forms with x.x.x.222 but something seems to want to talk to x.x.x.223. Not sure what to do. I did try adding x.x.x.223 to the crypto access list and applying the chg, but I never see it on the "sh crypto ipsec sa" output. Looking for help/guidance. Thank you!
%ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0xA7245819, sequence number= 0x6B8D) from x.x.x.222 (user= x.x.x.222) to x.x.x.192. The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as x.x.x.192, its source as x.x.x.223, and its protocol as 1. The SA specifies its local proxy as x.x.x.192/255.255.255.255/0/0 and its remote_proxy as 172.x.x.0/255.255.255.0/0/0.
Outside int addr on ASA5510= x.x.x.192
Outside int addr on CheckPoint=x.x.x.222 (virtual), x.x.x.223 (real)
Segment behind CheckPoint = 172.x.x.0/24 (this is where syslogs are sent)
# sh crypto ipsec sa
Crypto map tag: Internet_map, seq num: 1, local addr: x.x.x.192
access-list Internet_1_cryptomap permit ip interface Internet 172.x.x.0 255.255.255.0
local ident (addr/mask/prot/port): (x.x.x.192/255.255.255.255/0/0)
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...