Core issue
A packet is received that matches the encryption (crypto) map access control list (ACL), but is not IPsec-encapsulated. The IPsec peer sends unencapsulated packets. This condition can be caused by a policy setup error on the peer, or it might be considered a hostile event.
This error message might come up because of several reasons that include:
- Mismatched crypto access list on two ends
- Routing misconfiguration
Resolution
Complete these steps to resolve this issue:
1. Match the access lists with the peer.
2. Make sure that the same access list is not applied to two or more crypto map entries.
3. Refrain from using the any any statement in the access list.
4. Check routing.
For more information,refer to IPSec Manual Keying Between Routers Configuration Example and Configuring GRE and IPSec with IPX Routing