Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3160
Views
0
Helpful
2
Replies

asa error message

esossamon
Level 1
Level 1

‎02-04-2009 09:17 PM

I'm seeing following error show up in my logs and wonder if someone could shed some light on exactly what it means. Thanks!

129.1xx.x.xx %ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0xC359311B, sequence number= 0x1) from 10.19x.x.x (user= user1) to 129.1xx.x.xx. The decapsulated inner packet doesn't mat

ch the negotiated policy in the SA. The packet specifies its destination as 192.xxx.xxx.115, its source as 10.19x.x.x, and its protocol as 1. The SA specifies its local proxy as 0.0.0.0/0.0.0.0/0/0 and its

remote_proxy as 192.xxx.xxx.117/255.255.255.255/0/0.

Labels:
0 Helpful
2 Replies 2

Tshi M
Level 5
Level 5

‎02-05-2009 06:22 AM

please read below:

Error Message %PIX|ASA-4-402116: IPSEC: Received an protocol packet (SPI=spi, sequence

number= seq_num) from remote_IP (username) to local_IP . The decapsulated inner

packet doesn't match the negotiated policy in the SA. The packet specifies its

destination as pkt_daddr, its source as pkt_saddr, and its protocol as pkt_prot . The

SA specifies its local proxy as id_daddr /id_dmask /id_dprot /id_dport and its remote

proxy as id_saddr /id_smask /id_sprot /id_sport .

Explanation This message is displayed when a decapsulated IPSec packet does not match the negotiated identity. The peer is sending other traffic through this security association. It may be due to a security association selection error by the peer, or it may be part of an attack. This message is rate limited to no more than one message every five seconds.

protocol-IPSec protocol

spi-IPSec Security Parameters Index

seq_num-IPSec sequence number

remote_IP-IP address of the remote endpoint of the tunnel

username-Username associated with the IPSec tunnel

local_IP-IP address of the local endpoint of the tunnel

pkt_daddr-Destination address from the decapsulated packet

pkt_saddr-Source address from the decapsulated packet

pkt_prot-Transport protocol from the decapsulated packet

id_daddr-Local proxy IP address

id_dmask-Local proxy IP subnet mask

id_dprot-Local proxy transport protocol

id_dport-Local proxy port

id_saddr-Remote proxy IP address

id_smask-Remote proxy IP subnet mask

id_sprot-Remote proxy transport protocol

id_sport-Remote proxy port

Recommended Action Contact the peer administrator and compare policy settings.

0 Helpful

esossamon
Level 1
Level 1
In response to Tshi M

‎02-05-2009 07:41 AM

Yes I found that but wanted to know if someone could explain why I'm only seeing this occur from one user.

0 Helpful
Customers Also Viewed These Support Documents