Hello,

we have an issue with a VPN between ASA5545-X and Sonicwall NSA3600. The ASA runs firmware 9.12(2)9, the Sonixwall runs firmware "SonicOS Enhanced 6.5.4.5-53n". We have implemented a IKEv1 IPSEC Site-to-Site VPN between the 2 devices. If we use any kind of AES encryption in phase 2, we have packet loss up to 2%, but only in the direction from Sonicwall to ASA, never in the other direction. The log message in the ASA is "Dec 18 16:58:13 nefw1 %ASA-4-402120: IPSEC: Received an ESP packet (SPI= 0xC061F9D4, sequence number= 0x3710) from x.x.x.x (user= x.x.x.x) to y.y.y.y that failed authentication" (ip addresses in the message replaced with x.x.x.x and y.y.y.y). So it seems, that the ASA gets packets, that can not be decrypted, but we had no idea about the reason. If we change encryption in phase2 in the configuration (without changing anything else of the configuration), the issue disappears. Has someone ever heard of such an issue between ASA and Sonicwall? It was the first time, i have seen such an issue with an IPSEC VPN.

For me, it looks like there is an issue with the AES implementation, either on the ASA or on the Sonicwall. Our customer told us, that they had IPSEC VPNs running with Cisco ASA on the other end of the VPN tunnel, but that was long ago and the ASA was an older series (5510 or 5520).

I could not open a tac case for this issue, because our ciustomer with the ASA does not have a service contract for that device. Does anybody know about an other workaround for this issue than changing encryption to 3DES? Nobody wants to use 3DES anymore nowadays, so this is really not a good solution, but it is the only workaround, that we could find until now.

I would be glad, if someone can tell me another workaround or tell me, if that is an issue with ASA or an issue with Sonicwall.

Thanks in advance.