Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
924
Views
0
Helpful
1
Replies

Cisco ASA - Fortigate site to site VPN

emitev
Level 1
Level 1

‎10-21-2015 04:47 AM

Hi,

 

We are trying to establish a site-to site VPN tunnel between a Cisco ASA 5550 Software Version 9.1(5) and a Fortigate device.

 

The tunnel comes up ok and shows as active :

 

6   IKE Peer: xxx.xxx.xxx.xxx

    Type    : L2L             Role    : initiator 

    Rekey   : no              State   : MM_ACTIVE 

 

 

But no traffic can cross the tunnel. We get the following message:

 

%ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0xF5BC3CE4, sequence number= 0x4) from xxx.xxx.xxx (user= xxx.xxx.xxx.xxx) to yyy.yyy.yyy.yyy.  The decapsulated inner packet doesn't match the negotiated policy in the SA.  The packet specifies its destination as zz.zz.zz.zz, its source as mm.mm.mm.mm, and its protocol as icmp.  The SA specifies its local proxy as dd.dd.dd.dd/255.255.255.240/ip/0 and its remote_proxy as mm.mm.mm.mm/255.255.255.255/ip/0.

 

 

 

Labels:
0 Helpful
1 Reply 1

Shakti Kumar
Cisco Employee
Cisco Employee

‎10-24-2015 07:38 PM

Hi ,

 

Please ensure that we are using ip based access-list to define the VPN traffic on our end as well as the remote end

 

Thanks 

 

Shakti

0 Helpful
Customers Also Viewed These Support Documents