Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

asa error message

I'm seeing following error show up in my logs and wonder if someone could shed some light on exactly what it means. Thanks!

129.1xx.x.xx %ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0xC359311B, sequence number= 0x1) from 10.19x.x.x (user= user1) to 129.1xx.x.xx. The decapsulated inner packet doesn't mat

ch the negotiated policy in the SA. The packet specifies its destination as, its source as 10.19x.x.x, and its protocol as 1. The SA specifies its local proxy as and its

remote_proxy as


Re: asa error message

please read below:

Error Message %PIX|ASA-4-402116: IPSEC: Received an protocol packet (SPI=spi, sequence

number= seq_num) from remote_IP (username) to local_IP . The decapsulated inner

packet doesn't match the negotiated policy in the SA. The packet specifies its

destination as pkt_daddr, its source as pkt_saddr, and its protocol as pkt_prot . The

SA specifies its local proxy as id_daddr /id_dmask /id_dprot /id_dport and its remote

proxy as id_saddr /id_smask /id_sprot /id_sport .

Explanation This message is displayed when a decapsulated IPSec packet does not match the negotiated identity. The peer is sending other traffic through this security association. It may be due to a security association selection error by the peer, or it may be part of an attack. This message is rate limited to no more than one message every five seconds.

protocol-IPSec protocol

spi-IPSec Security Parameters Index

seq_num-IPSec sequence number

remote_IP-IP address of the remote endpoint of the tunnel

username-Username associated with the IPSec tunnel

local_IP-IP address of the local endpoint of the tunnel

pkt_daddr-Destination address from the decapsulated packet

pkt_saddr-Source address from the decapsulated packet

pkt_prot-Transport protocol from the decapsulated packet

id_daddr-Local proxy IP address

id_dmask-Local proxy IP subnet mask

id_dprot-Local proxy transport protocol

id_dport-Local proxy port

id_saddr-Remote proxy IP address

id_smask-Remote proxy IP subnet mask

id_sprot-Remote proxy transport protocol

id_sport-Remote proxy port

Recommended Action Contact the peer administrator and compare policy settings.

New Member

Re: asa error message

Yes I found that but wanted to know if someone could explain why I'm only seeing this occur from one user.