cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3720
Views
0
Helpful
1
Replies

The decapsulated inner packet doesn't match the negotiated policy in the SA

simon.didcote
Level 1
Level 1

Hi,

I am having a problem getting a SIP software to reach a PBX (ip office 500 if that matters) that is behind a ASA 5505.  I have a working VPN connection that terminates at the ASA and can ping/telnet/netcat (UDP) the PBX no problem.  When connecting, I get connection errors and this message in the log

Oct 24 18:29:30 officefirewall %ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0x9E1B52DD, sequence number= 0x490E) from 81.X.X.X (user= xxx) to 185.X.X.X.  The decapsulated inner packet doesn't match the negotiated policy in the SA.  The packet specifies its destination as ipoffice, its source as 192.168.0.92, and its protocol as 17.  The SA specifies its local proxy as 0.0.0.0/0.0.0.0/0/0 and its remote_proxy as 192.168.2.18/255.255.255.255/0/0.

 

81.X.X.X is my public IP, 185.X.X.X is the outside IP of the ASA.  192.168.2.X is my VPN assigned IP, 192.192.168.0.X is my actual internal IP

 

Thanks

 

 

My full config is below

 

: Saved
:
ASA Version 7.2(4) 
!
hostname officefirewall
names
name 192.168.2.0 vpn-network description vpn-network
name 10.0.0.0 office-network description office-network
name 192.168.100.0 server-network description server-network
name 10.0.16.0 phone-network description phone-network
name 10.0.16.253 ipoffice
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.50.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 185.X.X.X 255.255.255.240 
!
interface Vlan12
 nameif guest
 security-level 50
 ip address 192.168.250.1 255.255.255.0 
!
interface Vlan22
 nameif phone
 security-level 50
 ip address 10.0.16.2 255.255.255.0 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
 switchport access vlan 22
!
interface Ethernet0/4
!
interface Ethernet0/5
 switchport access vlan 12
!
interface Ethernet0/6
!
interface Ethernet0/7
!
!
time-range Work
 periodic daily 7:00 to 19:00
!
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
 domain-name e-san.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in extended permit icmp any any 
access-list outside_access_in extended permit tcp host esan3-outside host north-outside eq ssh 
access-list outside_access_in extended permit tcp BlackSpider_Cluster_D 255.255.255.192 host east-outside eq smtp 
access-list outside_access_in extended permit tcp BlackSpider_Cluster_F 255.255.255.192 host east-outside eq smtp 
access-list outside_access_in extended permit tcp BlackSpider_Cluster_G 255.255.248.0 host east-outside eq smtp 
access-list outside_access_in extended permit tcp BlackSpider_Cluster_H 255.255.248.0 host east-outside eq smtp 
access-list outside_access_in extended permit tcp BlackSpider_Cluster_I 255.255.248.0 host east-outside eq smtp 
access-list outside_access_in extended permit tcp BlackSpider_Cluster_J 255.255.224.0 host east-outside eq smtp 
access-list outside_access_in extended permit tcp host 86.137.117.121 host east-outside eq smtp 
access-list outside_access_in extended permit tcp any host east-outside object-group webaccess-in 
access-list outside_access_in extended permit tcp any host east-outside eq imap4 inactive 
access-list outside_access_in extended permit tcp any host east-outside eq pop3 inactive 
access-list outside_access_in extended permit tcp any host east-outside eq 465 inactive 
access-list outside_access_in extended permit tcp any host south-outside eq www 
access-list outside_access_in extended permit tcp any host south-outside object-group openfire 
access-list outside_access_in extended permit tcp any host south-outside eq 3030 
access-list outside_access_in extended permit tcp any host bear-outside object-group webaccess-in 
access-list outside_access_in extended permit tcp any host yellow-outside eq ssh 
access-list outside_access_in extended permit tcp any host yellow-outside object-group webaccess-in 
access-list outside_access_in extended permit udp any any eq 12211 
access-list outside_access_in extended permit tcp any any eq 12211 
access-list outside_access_in extended permit tcp any host yellow-outside object-group seafile-in 
access-list inside_access_in extended permit ip any any
access-list inside_outbound_nat0_acl extended permit ip office-network 255.255.255.0 vpn-network 255.255.255.0 
access-list inside_outbound_nat0_acl extended permit ip server-network 255.255.255.0 vpn-network 255.255.255.0 
access-list inside_outbound_nat0_acl extended permit ip 192.168.50.0 255.255.255.0 vpn-network 255.255.255.0 
access-list inside_outbound_nat0_acl extended permit ip phone-network 255.255.255.0 vpn-network 255.255.255.0 
access-list inside_outbound_nat0_acl extended permit ip any phone-network 255.255.255.0 
access-list VPN_splitTunnelAcl standard permit office-network 255.255.255.0 
access-list VPN_splitTunnelAcl standard permit phone-network 255.255.255.0 
access-list VPN_splitTunnelAcl standard permit server-network 255.255.255.0 
access-list VPN_splitTunnelAcl standard permit 192.168.50.0 255.255.255.0 
access-list guest_access_in extended permit ip any any time-range Work 
access-list vm_access_in extended permit ip any any 
pager lines 24
ip local pool RemoteVPNUsers 192.168.2.10-192.168.2.30 mask 255.255.255.0
no failover
monitor-interface inside
monitor-interface outside
monitor-interface guest
monitor-interface phone
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 office-network 255.255.255.0
nat (inside) 1 192.168.50.0 255.255.255.0
nat (inside) 1 192.168.250.0 255.255.255.0
nat (guest) 1 192.168.250.0 255.255.255.0
static (inside,outside) east-outside east-inside netmask 255.255.255.255 
static (inside,outside) north-outside north-inside netmask 255.255.255.255 
static (inside,outside) south-outside south-inside netmask 255.255.255.255 
static (inside,outside) bear-outside bear-inside netmask 255.255.255.255 
static (inside,outside) yellow-outside yellow-inside netmask 255.255.255.255 
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group guest_access_in in interface guest
access-group vm_access_in in interface phone
route inside office-network 255.255.255.0 192.168.50.2 1
route inside server-network 255.255.255.0 192.168.50.2 1
route outside 0.0.0.0 0.0.0.0 185.55.61.113 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map outside_dyn_map 40 set pfs 
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash md5
 group 5
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 40
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
group-policy VPN internal
group-policy VPN attributes
 wins-server value 10.0.0.6
 dns-server value 10.0.0.6 10.0.0.8
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPN_splitTunnelAcl
 default-domain value X.local
tunnel-group DefaultRAGroup ipsec-attributes
 isakmp keepalive threshold 10 retry 2
tunnel-group VPN type ipsec-ra
tunnel-group VPN general-attributes
 address-pool RemoteVPNUsers
 authentication-server-group MasterLDAP LOCAL
 default-group-policy VPN
 authorization-dn-attributes use-entire-name
tunnel-group VPN ipsec-attributes
 pre-shared-key *
tunnel-group VPNPHONE type ipsec-ra
tunnel-group VPNPHONE general-attributes
 address-pool RemoteVPNUsers
 default-group-policy VPNPHONE
tunnel-group VPNPHONE ipsec-attributes
 pre-shared-key *
 isakmp keepalive disable
!
class-map class_sip_tcp
 match port tcp eq sip
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect pptp 
  inspect ftp 
  inspect ipsec-pass-thru 
  inspect sip 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:ac756d757e95441ac0591ad2e132fd21
: end
asdm image disk0:/asdm-524.bin
no asdm history enable

1 Reply 1

You may take a look to this bug:

ASA-4-402116 - error message displays outer instead of inner packet
CSCty95742
 
since to match the behavior, the best would be to upgrade this appliance to an upgraded version.
 
Regards
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: