ā05-10-2016 02:58 PM - edited ā02-21-2020 08:48 PM
We have a VPN tunnel established from our on-premise ASA to AWS Cloud. We have also configured the AD Connector but we get this error when we try to ping from AWS or run the directory service port test to the public IP on our ASA. The error in the ASA log is below. The domain controller is inside of our ASA, not on AWS. I've substituted the IP addresses with descriptions. Any suggestions or help would be appreciated.
4 | May 10 2016 | 17:36:44 | 402116 | <AWS Public IP> | <ASA Public IP> | IPSEC: Received an ESP packet (SPI= 0x05652837, sequence number= 0x346) from <AWS Public IP> (user= AWS Public IP) to <ASA Public IP>. The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as <domain controller IP>, its source as <AWS Internal IP>, and its protocol as udp. The SA specifies its local proxy as <Our internal subnet/subnet mask>/ip/0 and its remote_proxy as <AWS Internal Subnet/Subnet Mask>/ip/0. |
ā05-10-2016 05:12 PM
Hi,
Could you please check the output of sh cry
Do we see any received errors ?
If yes please check the config ( Phase 2 ) with the AWS side and make sue the crypto ACL is a mirror match.
Regards,
Aditya
Please rate helpful posts.
ā05-16-2016 08:49 AM
Which IP should I enter for the "sa peer <>"?
ā02-23-2018 07:14 PM
The IP of the far side firewall. In this case the AWS VPC
ā12-19-2018 01:04 PM
I normally see this error when the rules to match traffic do not match on both sides of the VPN. The SAs are build on these rules.
Now your ASA is complaining the traffic is permitted to enter the tunnel (permitted by ACL policy), but does not match the SA (which also identifies what traffic should be sent over the tunnel).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide