cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1921
Views
5
Helpful
4
Replies

IPSEC error on ASA to AWS

computer
Level 1
Level 1

We have a VPN tunnel established from our on-premise ASA to AWS Cloud. We have also configured the AD Connector but we get this error when we try to ping from AWS or run the directory service port test to the public IP on our ASA. The error in the ASA log is below. The domain controller is inside of our ASA, not on AWS. I've substituted the IP addresses with descriptions. Any suggestions or help would be appreciated.

4 May 10 2016 17:36:44 402116 <AWS Public IP> <ASA Public IP> IPSEC: Received an ESP packet (SPI= 0x05652837, sequence number= 0x346) from <AWS Public IP> (user= AWS Public IP) to <ASA Public IP>. The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as <domain controller IP>, its source as <AWS Internal IP>, and its protocol as udp. The SA specifies its local proxy as <Our internal subnet/subnet mask>/ip/0 and its remote_proxy as <AWS Internal Subnet/Subnet Mask>/ip/0.
4 Replies 4

Aditya Ganjoo
Cisco Employee
Cisco Employee

Hi,

Could you please check the output of sh cry ipsec sa peer <>  ?

Do we see any received errors ?

If yes please check the config ( Phase 2 ) with the AWS side and make sue the crypto ACL is a mirror match.

Regards,

Aditya

Please rate helpful posts.

Which IP should I enter for the "sa peer <>"?

The IP of the far side firewall.  In this case the AWS VPC

mikalsan
Level 1
Level 1

I normally see this error when the rules to match traffic do not match on both sides of the VPN.  The SAs are build on these rules.

 

Now your ASA is complaining the traffic is permitted to enter the tunnel (permitted by ACL policy), but does not match the SA  (which also identifies what traffic should be sent over the tunnel).