04-11-2018 09:22 AM - edited 03-12-2019 05:11 AM
Hello
I have a working VPN tunnel built between Cisco ASA firewall running ASA version 9.6 with one of our Vendor. The Vendor has checkpoint firewall on their end. We have recently added new traffic flows to this tunnel. When we are generating the traffic I can see the pkst encaps increasing on the ASA but the vendor is not seeing any traffic reaching their firewall.
Any help regarding this would be much appreciated.
ravi
Solved! Go to Solution.
04-11-2018 01:55 PM
Apply a packet capture on the ASA's outside interface for ESP traffic. Ideally you should see traffic outbound to but nothing inbound from the peer ip address for the new SA (SPI should differ for each SA). This should prove that the ASA is not at fault. In many cases, vendor mis-configuration can send traffic into the wrong SA. The ASA should log this something similar to below:
%ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0xAAAAAA, sequence number= 0x1F0) from x.x.x.x (user= testuser) to y.y.y.y. The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as z.z.z.z, its source as a.a.a.a, and its protocol as tcp. The SA specifies its local proxy as y.y.y.y/255.255.255.255/udp/42246 and its remote_proxy as x.x.x.x/255.255.255.255/udp/0.
04-11-2018 01:55 PM
Apply a packet capture on the ASA's outside interface for ESP traffic. Ideally you should see traffic outbound to but nothing inbound from the peer ip address for the new SA (SPI should differ for each SA). This should prove that the ASA is not at fault. In many cases, vendor mis-configuration can send traffic into the wrong SA. The ASA should log this something similar to below:
%ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0xAAAAAA, sequence number= 0x1F0) from x.x.x.x (user= testuser) to y.y.y.y. The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as z.z.z.z, its source as a.a.a.a, and its protocol as tcp. The SA specifies its local proxy as y.y.y.y/255.255.255.255/udp/42246 and its remote_proxy as x.x.x.x/255.255.255.255/udp/0.
04-16-2018 04:36 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: