Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
836
Views
0
Helpful
5
Replies

VPN PIX-Netscreen - Syslog Warnings

hwolfgruber
Level 1
Level 1

‎11-20-2005 02:23 AM

Hi there,

we have a Site2Site VPN-connection between a PIX501 (6.3(5)) and a Netscreen.

The tunnel is terminated by Hosts, it is up and works fine.

But the PIX-Syslog write the warning

"%PIX-4-402103: identity doesn't match negotiated identity (ip) dest_addr= <PIX Outside>, src_addr= <Netscreen Outside>, prot= icmp, (ident) local=<PIX Outside>, remote=<Netscreen Outside>, local proxy=<Host PIX-Side>/255.255.255.255/0/0, remote_proxy=<Host Netscreen-Side>/255.255.255.255/0/0".

The entry is written every 10 seconds and cause a huge amount of output.

Lan2Lan-configuration instead of Host2Host comes to the same result.

We checked the configuration on both sides several times, no deviations were found.

Does anyone have a solution for this problem?

TIA

Hermann

Labels:
0 Helpful
5 Replies 5

spremkumar
Level 9
Level 9

‎11-21-2005 02:41 AM

Hi

This is the exp and the recom action which i recd from the error code debugger...i feel u need to check out the policy setting in the netscreen which mite help i out..

An unencapsulated IPSec packet does not match the negotiated identity. The peer is sending other traffic through this security association. It may be due to an security association selection error by the peer. This may be a hostile event.

Recommended Action: Contact the peer's administrator to compare policy settings.

regds

0 Helpful

hwolfgruber
Level 1
Level 1
In response to spremkumar

‎12-08-2005 06:30 AM

Hi

Thx, i contacted the Netscreen Admin and we've checked the configuration again point by point but found no differences.

Another Netscreen-Guy told me that this were normal behavior between a PIX and a Netscreen and i have to life with or set logging level to errors.

I can't beliefe that the two marketleading firewalls can not establish an errorfree connection.

I hope anyone here has a solution or workaround for this problem (changing logging level ist not really a solution).

TIA

Hermann

0 Helpful

ciscocsoc
Level 4
Level 4
In response to hwolfgruber

‎12-08-2005 07:23 AM

Hi,

The error description sounds like traffic other than what you would expect is trying to traverse the link. The frequency may be related to routing protocol traffic (e.g. OSPF). Just a thought.

It would be worth setting up a snoop session on the netscreen to see what traffic is traversing the link.

HTH

Cathy

0 Helpful

tkropp
Level 1
Level 1
In response to hwolfgruber

‎12-08-2005 07:43 AM

This may be a matter of how Netscreen handles ICMP w/NAT. I'm running into issues with Netscreen on the other side of IPSec S2S and NAT/PAT is seeming to be one of the problems. Sending traffic w/o changing IP's.

see related

http://www.cisco.com/en/US/customer/tech/tk648/tk361/technologies_tech_note09186a0080093f96.shtml

0 Helpful

hwolfgruber
Level 1
Level 1
In response to tkropp

‎12-21-2005 11:59 AM

Thx for the support!

I would've preferred a solution by eliminating the cause.

Now I _solved_ the problem by suppressing 402103 events.

regards

Hermann

0 Helpful
Customers Also Viewed These Support Documents