02-28-2019 02:20 AM
I everyone
I have two IPSEC tunnels with an ASA in the middle
Site A - 10.20.4.0 /24 (65.176.80.84)
Site B - 192.168.142.0 /24
ASA - 10.99.206.0 /24 (95.12.22.33
Site A - 10.20.4.0 /24 can reach the ASA and Site B successfully
ASA can reach Site A and Site B successfully
Site B can reach ASA but fails to ping Site A
I've been running a continuous ping from 192.168.142.25 and see this on the ASA:
4|Feb 28 2019 10:01:53|402116: IPSEC: Received an ESP packet (SPI= 0x41AD96C1, sequence number= 0x17BF) from 35.176.80.84 (user= 65.176.80.84) to 95.12.22.33. The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as 10.20.4.1, its source as 192.168.142.25, and its protocol as icmp. The SA specifies its local proxy as 10.99.206.0/255.255.255.0/ip/0 and its remote_proxy as 192.168.142.0/255.255.255.0/ip/0.
I've looked this up and it describes the message as a NAT error but nothing specific. Could someone please explain what this error could potentially be caused by?
Thanks in advance.
02-28-2019 02:37 AM
try this command
hostname(config)# policy-map type inspect IPSec-pass-thr
02-28-2019 03:50 AM
02-28-2019 04:13 AM
apologies i overlooked you syslog you paste earlier.
this seem to be an issue with you natting for this vpn
4|Feb 28 2019 10:01:53|402116: IPSEC: Received an ESP packet (SPI= 0x41AD96C1, sequence number= 0x17BF) from 35.176.80.84 (user= 65.176.80.84) to 95.12.22.33. The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as 10.20.4.1, its source as 192.168.142.25, and its protocol as icmp. The SA specifies its local proxy as 10.99.206.0/255.255.255.0/ip/0 and its remote_proxy as 192.168.142.0/255.255.255.0/ip/0.
shall get back to you.
02-28-2019 07:48 AM
Thanks very much, appreciate your time. I will continue running tests and look forward to your update
03-01-2019 02:36 AM
Thanks Sheraz
I've just run a continuous ping from 192.168.142.25 to 10.20.4.1 - below are the results:
vpn# show log asdm | inc 192.168.142.25
4|Mar 01 2019 10:22:32|402116: IPSEC: Received an ESP packet (SPI= 0x5E765129, sequence number= 0x62E) from 35.176.80.84 (user= 35.176.80.84) to 195.12.22.33. The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as 10.20.4.1, its source as 192.168.142.25, and its protocol as icmp. The SA specifies its local proxy as 10.99.206.0/255.255.255.0/ip/0 and its remote_proxy as 192.168.142.0/255.255.255.0/ip/0.
vpn#
vpn#
vpn# show crypto ipsec sa peer 35.176.80.84
peer address: 35.176.80.84
Crypto map tag: external-vpns, seq num: 600, local addr: 195.12.22.33
access-list Formac extended permit ip 10.99.206.0 255.255.255.0 192.168.142.0 255.255.255.0
local ident (addr/mask/prot/port): (10.99.206.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.142.0/255.255.255.0/0/0)
current_peer: 35.176.80.84
#pkts encaps: 809, #pkts encrypt: 809, #pkts digest: 809
#pkts decaps: 539160, #pkts decrypt: 887, #pkts verify: 887
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 809, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 538272
local crypto endpt.: 195.12.22.33/4500, remote crypto endpt.: 35.176.80.84/4500
path mtu 1500, ipsec overhead 82(52), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 837C9A67
current inbound spi : 5E765129
inbound esp sas:
spi: 0x5E765129 (1584812329)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 2, IKEv1, }
slot: 0, conn_id: 267993088, crypto-map: external-vpns
sa timing: remaining key lifetime (kB/sec): (4373999/2699)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000120
outbound esp sas:
spi: 0x837C9A67 (2205981287)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 2, IKEv1, }
slot: 0, conn_id: 267993088, crypto-map: external-vpns
sa timing: remaining key lifetime (kB/sec): (4373999/2690)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Thanks in advance
03-03-2019 01:49 AM
Hi everyone
Continuing to work on this.
Would natting on the ASA be the answer here? As there is a tunnel between Site A and Cisco ASA and traffic is passing both ways, could I pat the entire Site B range (192.168.142.0/24) behind a single IP on the Cisco ASA subnet (10.99.206.0 /24)?
Could this be the answer to my problems?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide