This message generally comes up when either there is a spoof or if the packets are getting corrupt from the HQ to Remote ASA. Are you seeing this message only on the Remote ASA? Are you still seeing those messages poping up or was it just for a while?
If you are still seeing the messages, please run "debug crypto ipsec 200" on the Remote ASA and see if you notice some errors there?
Also, to confirm if packets are indeed getting corrupt en route to Remote ASA, we can apply captures for ESP packets on the HQ and the Remote ASA and check with the sequence numbers (from the logs) to compare the HASH values. I owould suggest you to check that as well.
Please also have a check with the ISP with the above capture information if we indeed see HASH mismatch.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...