cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
29559
Views
0
Helpful
7
Replies

Drop-reason: (ipsec-spoof) IPSEC Spoof detected

anshubathla
Level 1
Level 1

What can be thepossible reasons  for (ipsec-spoof) IPSEC Spoof detected .

I have checked with packet tracer(as below) for the incoming VPN traffic on firewall and got this error

packet tracer input outside tcp 192.168.10.2 1234 10.10.10.2  80

Also I can see number decrpt packet counts are increasing but encrypt count are zero.

Please help me to resolve this.


1 Accepted Solution

Accepted Solutions

malshbou
Level 1
Level 1

The packet-tracer command you showed doesn't actually simulate VPN traffic; packet-tracer simulates packets as ingressing the ASA from the wire, which is in your case the encrypted packets (with tunnel endpoints source/destination IPs). so, this drop-reason doesn't actually reflect your problem.

i believe that you should trace the packets in the encryption path(routing, NAT, crypto ACL overlaps..) since  you can find decaps but no encaps.

Hope this helps

------------------
Mashal Alshboul

------------------ Mashal Shboul

View solution in original post

7 Replies 7

malshbou
Level 1
Level 1

The packet-tracer command you showed doesn't actually simulate VPN traffic; packet-tracer simulates packets as ingressing the ASA from the wire, which is in your case the encrypted packets (with tunnel endpoints source/destination IPs). so, this drop-reason doesn't actually reflect your problem.

i believe that you should trace the packets in the encryption path(routing, NAT, crypto ACL overlaps..) since  you can find decaps but no encaps.

Hope this helps

------------------
Mashal Alshboul

------------------ Mashal Shboul

Thanks for the explanation....let me explain you my senerio

inside host ip 10.10.10.2 (directly connected to inside network)which is static Nat to 172.168.10.2   

static (inside,outside) 172.168.10.2 10.10.10.2 netmask 255.255.255.255

Encrption ACL.

access-list vpnytraffic extended permit ip 172.168.10.0 255.255.255.0 192.168.10.0 255.255.255.0

if from other VPN peer host  traffic is initiated by 192.168.10.2 to 172.168.10.2  then in show crypto ipsec sa I can see the decrpt count are increaing but decrypt packet count are not increasing.that means return traffic is not working .?

I can ping the 10.10.10.2 from the firewall.

Network 172.168.10.0/24 and 192.168.10.0/24 are  routed to outside by default route .

Please let me know if I am missing any configuration step in this.

please get the following:

- packet-tracer input inside icmp 10.10.10.2  8  0  192.168.10.2

- cap capin interface inside match icmp host 10.10.10.2  host 192.168.10.2 

  cap asp type asp-drop match all

then  run a continuous ping from the VPN peer (192.168.10.2 to 172.168.10.2), and get "show cap capin" and "show cap asp"

please make sure that 10.10.10.2 has correct route 192.168.10.0 with the ASA inside interface as next-hop (gateway)

Hope this helps

------------------
Mashal Alshboul

------------------ Mashal Shboul

Hi Mashal,

Thanks for the help ,issue has been resolved

what change was done to get it fixed 

Hi,
What was the change made?
Or else this discussion won't be complete.
I am also waiting for the resolution.

JamesPost
Level 1
Level 1

I had this issue, but was able to get past the ipsec-spoof message by adding decrypted detailed to the end of the packet-tracer command:

packet-tracer input [source zone] icmp [source] 8 0 [destination] decrypted detailed

Hope this helps.