Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

ipsec vpn error

vpn is up and established but receiving this error? Where is the problem? Thanks.
IPSEC: Received an ESP packet from (user= to  The decapsulated inner packet doesn't match the negotiated policy in the SA.  The packet specifies its destination as, its source as, and its protocol as tcp.  The SA specifies its local proxy as and its remote_proxy as

Hall of Fame Super Silver

The crypto  map  / access

The crypto  map  / access-list at their end says to route packets for address to your end of the VPN.

Your map doesn't match and your IPSec SAs don't include that network in the local identities, thus the error.

Thats what I determined as

Thats what I determined as well about the packet has a destination of, but it seems to be using the tunnel, which I do not want. I only want the going through the tunnel and all else straight out.

On the remote asa I have the source network as and destination as - so how woudl I fix this?

Hall of Fame Super Silver

Something is not correctly

Something is not correctly setup at the remote end as it believes that packet should be encapsulated and sent across the tunnel.

If it's an ASA that you control, you can try seeing what's going on by using packet-tracer (reference) as follows:

packet-tracer input inside tcp 1025 80 detailed

(I assume the distant end inside interface is named "inside". If not, substitute the actual nameif. I also used port 80 destination just as a point of reference, if you have any more detailed information on the destination port, you may use that.)