cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1050
Views
30
Helpful
6
Replies

ASA - communication between 2 tunnels

BHconsultants88
Level 1
Level 1

I everyone

 

I have two IPSEC tunnels with an ASA in the middle

 

Site A - 10.20.4.0 /24 (65.176.80.84)

Site B - 192.168.142.0 /24

ASA - 10.99.206.0 /24 (95.12.22.33

 

Site A - 10.20.4.0 /24 can reach the ASA and Site B successfully

ASA can reach Site A and Site B successfully

Site B can reach ASA but fails to ping Site A

 

I've been running a continuous ping from 192.168.142.25 and see this on the ASA:

 

4|Feb 28 2019 10:01:53|402116: IPSEC: Received an ESP packet (SPI= 0x41AD96C1, sequence number= 0x17BF) from 35.176.80.84 (user= 65.176.80.84) to 95.12.22.33.  The decapsulated inner packet doesn't match the negotiated policy in the SA.  The packet specifies its destination as 10.20.4.1, its source as 192.168.142.25, and its protocol as icmp.  The SA specifies its local proxy as 10.99.206.0/255.255.255.0/ip/0 and its remote_proxy as 192.168.142.0/255.255.255.0/ip/0.

 

I've looked this up and it describes the message as a NAT error but nothing specific. Could someone please explain what this error could potentially be caused by?

 

Thanks in advance.

6 Replies 6

try this command

 

hostname(config)# policy-map type inspect IPSec-pass-thr 
please do not forget to rate.

Thank you for your reply. I've added the command but am still seeing the same error. Any other suggestions would be highly appreciated.

 

I've also attached configs for Site A and Site B VPN tunnels.

 

Thanks in advance

apologies i overlooked you syslog you paste earlier.

 

this seem to be an issue with you natting for this vpn

 

4|Feb 28 2019 10:01:53|402116: IPSEC: Received an ESP packet (SPI= 0x41AD96C1, sequence number= 0x17BF) from 35.176.80.84 (user= 65.176.80.84) to 95.12.22.33. The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as 10.20.4.1, its source as 192.168.142.25, and its protocol as icmp. The SA specifies its local proxy as 10.99.206.0/255.255.255.0/ip/0 and its remote_proxy as 192.168.142.0/255.255.255.0/ip/0.

 

shall get back to you.

 

please do not forget to rate.

Thanks very much, appreciate your time. I will continue running tests and look forward to your update

Thanks Sheraz

 

I've just run a continuous ping from 192.168.142.25 to 10.20.4.1 - below are the results:

 

vpn# show log asdm | inc 192.168.142.25

4|Mar 01 2019 10:22:32|402116: IPSEC: Received an ESP packet (SPI= 0x5E765129, sequence number= 0x62E) from 35.176.80.84 (user= 35.176.80.84) to 195.12.22.33.  The decapsulated inner packet doesn't match the negotiated policy in the SA.  The packet specifies its destination as 10.20.4.1, its source as 192.168.142.25, and its protocol as icmp.  The SA specifies its local proxy as 10.99.206.0/255.255.255.0/ip/0 and its remote_proxy as 192.168.142.0/255.255.255.0/ip/0.

vpn#

vpn#

vpn# show crypto ipsec sa peer 35.176.80.84

peer address: 35.176.80.84

    Crypto map tag: external-vpns, seq num: 600, local addr: 195.12.22.33

 

      access-list Formac extended permit ip 10.99.206.0 255.255.255.0 192.168.142.0 255.255.255.0

      local ident (addr/mask/prot/port): (10.99.206.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.142.0/255.255.255.0/0/0)

      current_peer: 35.176.80.84

 

 

      #pkts encaps: 809, #pkts encrypt: 809, #pkts digest: 809

      #pkts decaps: 539160, #pkts decrypt: 887, #pkts verify: 887

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 809, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #TFC rcvd: 0, #TFC sent: 0

      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0

      #send errors: 0, #recv errors: 538272

 

      local crypto endpt.: 195.12.22.33/4500, remote crypto endpt.: 35.176.80.84/4500

      path mtu 1500, ipsec overhead 82(52), media mtu 1500

      PMTU time remaining (sec): 0, DF policy: copy-df

      ICMP error validation: disabled, TFC packets: disabled

      current outbound spi: 837C9A67

      current inbound spi : 5E765129

 

    inbound esp sas:

      spi: 0x5E765129 (1584812329)

         transform: esp-aes esp-sha-hmac no compression

         in use settings ={L2L, Tunnel,  NAT-T-Encaps, PFS Group 2, IKEv1, }

         slot: 0, conn_id: 267993088, crypto-map: external-vpns

         sa timing: remaining key lifetime (kB/sec): (4373999/2699)

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000120

    outbound esp sas:

      spi: 0x837C9A67 (2205981287)

         transform: esp-aes esp-sha-hmac no compression

         in use settings ={L2L, Tunnel,  NAT-T-Encaps, PFS Group 2, IKEv1, }

         slot: 0, conn_id: 267993088, crypto-map: external-vpns

         sa timing: remaining key lifetime (kB/sec): (4373999/2690)

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

 

 

Thanks in advance

Hi everyone


Continuing to work on this. 

 

Would natting on the ASA be the answer here? As there is a tunnel between Site A and Cisco ASA and traffic is passing both ways, could I pat the entire Site B range (192.168.142.0/24) behind a single IP on the Cisco ASA subnet (10.99.206.0 /24)?


Could this be the answer to my problems? 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: