AWS to ASA tunnel not working properly ERROR: The decapsulated inner packet doesn't match the negot...

hashimwajid1 · ‎07-22-2017

HI

recently i migrated from old ASA firewall with new ASA 5525X... all tunnels are working fine except the tunnel with AWS. i am getting error messages

on PRTG

1.	10.0.200.11(AWS) Ping 15 (Ping) Down ESCALATION (Request timed out (ICMP error # 11010))

Tunnel with AWS is UP since 18 hours, but these messages keep coming and i am not able to access the services on AWS.

at ASA log i got the log message

IPSEC: Received an ESP packet (SPI= 0xF3FA3CB9, sequence number= 0xA2) from 1.1.1.1 AWS LIVE IP (user= 1.1.1.1) to FW-Outside-2.2.2.2 The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as UTIL-172.20.10.82, its source as 10.0.200.10, and its protocol as icmp. The SA specifies its local proxy as User-VLAN-192.168.1.0/255.255.255.0/ip/0 and its remote_proxy as VPC_Subnet/255.255.0.0/ip/0.

note: i changed the LIVE IP of AWS and firewall with 1.1.1.1 & 2.2.2.2

RMGVASA01/act/pri# sh crypto ipsec sa peer 1.1.1.1
peer address: 1.1.1.1
Crypto map tag: dyn-map, seq num: 4, local addr: FW-Outside-2.2.2.2

access-list acl-amzn extended permit ip 172.20.10.0 255.255.255.0 10.0.0.0 255.255.0.0
local ident (addr/mask/prot/port): (Server-VLAN-172.20.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (VPC_Subnet/255.255.0.0/0/0)
current_peer: 1.1.1.1

#pkts encaps: 75770, #pkts encrypt: 75770, #pkts digest: 75770
#pkts decaps: 59437, #pkts decrypt: 58542, #pkts verify: 58542
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 75770, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 895

local crypto endpt.: FW-Outside-2.2.2.2/0, remote crypto endpt.: 1.1.1.1/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: clear-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: F80FFE30
current inbound spi : D1CE0C2E

inbound esp sas:
spi: 0xD1CE0C2E (3519941678)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
slot: 0, conn_id: 909312, crypto-map: dyn-map
sa timing: remaining key lifetime (kB/sec): (4373880/2072)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFF7FF 0xFFFDFFFF 0xFDFFBFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xF80FFE30 (4161797680)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
slot: 0, conn_id: 909312, crypto-map: dyn-map
sa timing: remaining key lifetime (kB/sec): (4373845/2072)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000000 0x00000000 0x00000001

Crypto map tag: dyn-map, seq num: 4, local addr: FW-Outside-2.2.2.2

access-list acl-amzn extended permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.0.0
local ident (addr/mask/prot/port): (User-VLAN-192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (VPC_Subnet/255.255.0.0/0/0)
current_peer: 1.1.1.1

#pkts encaps: 3976, #pkts encrypt: 3976, #pkts digest: 3976
#pkts decaps: 19408, #pkts decrypt: 4045, #pkts verify: 4045
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 3976, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 15363

local crypto endpt.: FW-Outside-2.2.2.2/0, remote crypto endpt.: 1.1.1.1/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: clear-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: D8236A04
current inbound spi : F3FA3CB9

inbound esp sas:
spi: 0xF3FA3CB9 (4093263033)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
slot: 0, conn_id: 909312, crypto-map: dyn-map
sa timing: remaining key lifetime (kB/sec): (4373972/211)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00100000 0x00000000 0x000001FD 0xC0000000
outbound esp sas:
spi: 0xD8236A04 (3626199556)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
slot: 0, conn_id: 909312, crypto-map: dyn-map
sa timing: remaining key lifetime (kB/sec): (4373967/211)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000000 0x00000000 0x00000001

Crypto map tag: dyn-map, seq num: 4, local addr: FW-Outside-2.2.2.2

access-list acl-amzn extended permit ip 192.168.58.0 255.255.255.0 10.0.0.0 255.255.0.0
local ident (addr/mask/prot/port): (WiFi-192.168.58.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (VPC_Subnet/255.255.0.0/0/0)
current_peer: 1.1.1.1

#pkts encaps: 137, #pkts encrypt: 137, #pkts digest: 137
#pkts decaps: 1612, #pkts decrypt: 113, #pkts verify: 113
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 137, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 1499

local crypto endpt.: FW-Outside-2.2.2.2/0, remote crypto endpt.: 1.1.1.1/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: clear-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: A1D1F683
current inbound spi : 944B27C3

inbound esp sas:
spi: 0x944B27C3 (2487953347)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
slot: 0, conn_id: 909312, crypto-map: dyn-map
sa timing: remaining key lifetime (kB/sec): (4374000/2713)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000000 0x00000000 0x00000001
outbound esp sas:
spi: 0xA1D1F683 (2714891907)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
slot: 0, conn_id: 909312, crypto-map: dyn-map
sa timing: remaining key lifetime (kB/sec): (4374000/2713)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000000 0x00000000 0x00000001

Spooster IT Services · ‎07-25-2017

Hi hashimwajid1,

The issue more seems to be at AWS side. AWS is sending the traffic with wrong SPI. According to the error message AWS sending the packet with SPI=0xF3FA3CB9.

IPSEC: Received an ESP packet (SPI= 0xF3FA3CB9, sequence number= 0xA2) from 1.1.1.1 AWS LIVE IP (user= 1.1.1.1) to FW-Outside-2.2.2.2 The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as UTIL-172.20.10.82, its source as 10.0.200.10, and its protocol as icmp. The SA specifies its local proxy as User-VLAN-192.168.1.0/255.255.255.0/ip/0 and its remote_proxy as VPC_Subnet/255.255.0.0/ip/0.

Which is the INBOUND SPI for

local ident (addr/mask/prot/port): (User-VLAN-192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (VPC_Subnet/255.255.0.0/0/0)
current_peer: 1.1.1.1

#pkts encaps: 3976, #pkts encrypt: 3976, #pkts digest: 3976
#pkts decaps: 19408, #pkts decrypt: 4045, #pkts verify: 4045
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 3976, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 15363

local crypto endpt.: FW-Outside-2.2.2.2/0, remote crypto endpt.: 1.1.1.1/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: clear-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: D8236A04
current inbound spi : F3FA3CB9

inbound esp sas:
spi: 0xF3FA3CB9 (4093263033)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
slot: 0, conn_id: 909312, crypto-map: dyn-map
sa timing: remaining key lifetime (kB/sec): (4373972/211)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00100000 0x00000000 0x000001FD 0xC0000000
outbound esp sas:
spi: 0xD8236A04 (3626199556)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
slot: 0, conn_id: 909312, crypto-map: dyn-map
sa timing: remaining key lifetime (kB/sec): (4373967/211)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000000 0x00000000 0x00000001

It should be

inbound esp sas:
spi: 0xD1CE0C2E (3519941678)

You need to check your AWS side settings.

Spooster IT Services Team

AWS to ASA tunnel not working properly ERROR: The decapsulated inner packet doesn't match the negotiated policy in the SA