Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

IPSEC:Received a non-IPSEC packet (protocol=ICMP) from <ip> to <ip>

Hi,

I am creating a IPSEC VPN tunnel between Cisco ASA and Cisco Router.

On Router side, i have two outgoing interfaces to reach to ASA. So, i created a loopback interface and terminate the tunnel on Loopback and used the loopback interface as a local-address in the crypto map.

----------------------------------------------------------------------

crypto-map abcmap local-address loopback 10

int lo 10

crypto map abcmap

----------------------------------------------------------------------

I am running OSPF in the network. For the Routing issue, i created the route-map

---------------------------------------------------------------------

route-map IPSEC-VPN permit 10

match ip address crypto-acl

set interface loopback 10

access-list crypto-acl permit ip <site-a-lan> 0.0.0.255 <site-b-lan> 0.0.0.255

--------------------------------------------------------------------

Everything is working fine except that i am unable to ping the Router LAN interface from the Tunnel (ASA side) and receiving the syslog message (id = 402117) ; [IPSEC:Received a non-IPSEC packet (protocol=ICMP) from <ip> to <ip>]. Actually, this LAN interface is the source for the SNMP/ Syslog/ TACACS/ NTP etc...

Any comments please...

Regards,

Mubasher Sultan

2 REPLIES

Re: IPSEC:Received a non-IPSEC packet (protocol=ICMP) from <ip>

Hi Experts,

Any comments please... Still i am facing the same issue...

Thanks,

Regards,

Mubasher

Cisco Employee

Re: IPSEC:Received a non-IPSEC packet (protocol=ICMP) from <ip>

When you are trying to ping from the ASA end, how did you source the ping? If you are pinging from the ASA itself, and the crypto subnet is for example your inside interface, then you would need to source the ping from the inside interface as follows on the ASA:

ping inside

Otherwise, if you just perform ping as follows from the ASA:

ping

that would be sourced from the outside interface of the ASA.

Further to that, if you are trying to source SNMP, syslog, AAA from the inside interface of the ASA as it is part of the crypto ACL, you would need to specify the inside interface of the corresponding statements.

For example:

logging host inside

snmp-server host inside

aaa-server inside host

Hope that helps.

2385
Views
0
Helpful
2
Replies
CreatePlease to create content