Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

rec'd packet not an ipsec packet !

I am just trying to ping the outside interface after i made a vpn connection on my PIX515E. Ping works before applying the crypto map, but after, if i enable logging, the packet dropped and this is logged by :

pixfirewall(config)# 402106: Rec'd packet not an IPSEC packet. (ip) dest_addr=, src_addr=, prot= icmp

Here is my config:


PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password T/t63Bt/WwztM4UV encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname pixfirewall


fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1433

fixup protocol sqlnet 1521

access-list VPN permit ip host host

access-list VPN permit ip

access-list laptop permit ip host host

access-list inbound permit tcp any host eq www

access-list acl_site permit ip

pager lines 24

logging on

logging console notifications

mtu outside 1500

mtu inside 1500

ip address outside

ip address inside

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list VPN

nat (inside) 1 0 0

access-group inbound_ping in interface outside

route outside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

crypto ipsec transform-set myts esp-des esp-md5-hmac

crypto map mymap 10 ipsec-isakmp

crypto map mymap 10 match address acl_site

crypto map mymap 10 set transform-set myts

crypto map mymap interface outside

isakmp enable outside

isakmp key ******** address netmask

isakmp identity address

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80


: end


What is strange is that access list for crypto-map seems fine, i can't see what happening. Any help please.


New Member

Re: rec'd packet not an ipsec packet !


without the config from the other side we cannot help you.

Post the ipsec config from the other side.

Regards, Celio

New Member

Re: rec'd packet not an ipsec packet !

There is no problem in VPN, in fact i didn't even tried VPN yet, the only thing i did is to connect my laptop to the outside interface and ping that interface. So you understand it is not a problem in VPN, just in ping the outside interface, i am not even trying to ping the inside from outside, just the outside interface from a PC attaced to it, and it doesn't work, strange. Any help is appreciated

New Member

Re: rec'd packet not an ipsec packet !


I Suggest you to Disable firewall in your PC/Laptop and Force Ethernet speed to Auto on both side, then you should be able to ping.

i have encounter the same problem with one of our customer PIX.



New Member

Re: rec'd packet not an ipsec packet !

I'll give it a try, but it makes no sense :)

The problem seems like the firewall is getting the packet right on the outside interface; right src, dest, because it log it right, however, it looks like my firewall expect everything to be encrypted or something. My access-list is right, and a ping doesn't come under this access-list, so why it is flagged so as shown in the logging. this doesn't look complicated matter, also it is easy to repeat same as me, make a VPN map on a firewall, ping the outside interface, and here we are, ping fail !

New Member

Re: rec'd packet not an ipsec packet !


The question what u have asked is to ping directly connecting your PC to Outside Interface of the PIX, ( provided your PC should be same segment IP address of Outside Interface)if your Firewall expecting traffic needs to be ipsec . then it is something to be done with ACL which you have applied on Outside interface

Please share your ACL details which you have applied to outside interface.



CreatePlease to create content