Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3726
Views
0
Helpful
1
Replies

IPSEC L2L tunnel Received Error

pemasirid
Level 1
Level 1

‎05-23-2012 03:39 PM - edited ‎02-21-2020 06:05 PM

Hi,

We have IPSec L2L tunnel between Cisco ASA (8.2.x) and Juniper. When we have crypto ACL with permit IP (wihtout port) it working fine. However we only need to allow tcp port 1521 (Sql net).

When we modified the crypto ACL with port level, traffic from ASA side can send with the tcp port 1521 but from juniper side they can access with the same port and on the ASA side we see only decryp, decaps packets only.

#pkts encaps: 00, #pkts encrypt: 00, #pkts digest: 00

#pkts decaps: 56, #pkts decrypt: 56, #pkts verify: 56

and moreover we see  somerecv errors when we check with sh cry ips peer x.x.x.x.

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 15

When we add the ICMP to the same crypto acl both side can ping each other and can see both encry and decryp traffic and also it work perfectly when we changed crypto acl to IP level.

Can someone please advise what cause getting the recev errors and why I only see decrypt packets. ACL on both side is mirrored.

Below logs were also seen on ASDM.

4|May 23 2012|12:05:10|402116|192.168.50.2||10.29.0.2||IPSEC: Received an ESP packet (SPI= 0xBF5C16BD, sequence number= 0x1) from 192.168.50.2 (user= 192.168.50.2) to 10.29.0.2.  The decapsulated inner packet doesn't match the negotiated policy in the SA.  The packet specifies its destination as 172.30.1.38, its source as 10.1.5.27, and its protocol as tcp.  The SA specifies its local proxy as 172.30.1.38/255.255.255.255/tcp/61701 and its remote_proxy as 10.1.5.27/255.255.255.255/tcp/61701.

4|May 23 2012|12:03:34|402116|192.168.50.2||10.29.0.2||IPSEC: Received an ESP packet (SPI= 0x1C2967CE, sequence number= 0x3B) from 192.168.50.2 (user= 192.168.50.2) to 10.29.0.2.  The decapsulated inner packet doesn't match the negotiated policy in the SA.  The packet specifies its destination as 172.30.1.38, its source as 10.1.5.27, and its protocol as tcp.  The SA specifies its local proxy as 172.30.1.38/255.255.255.255/tcp/0 and its remote_proxy as 10.1.5.27/255.255.255.255/tcp/61701.

4|May 23 2012|12:02:43|402116|192.168.50.2||10.29.0.2||IPSEC: Received an ESP packet (SPI= 0x1C2967CE, sequence number= 0x37) from 192.168.50.2 (user= 192.168.50.2) to 10.29.0.2.  The decapsulated inner packet doesn't match the negotiated policy in the SA.  The packet specifies its destination as 172.30.1.38, its source as 10.1.5.27, and its protocol as tcp.  The SA specifies its local proxy as 172.30.1.38/255.255.255.255/tcp/0 and its remote_proxy as 10.1.5.27/255.255.255.255/tcp/61701.

4|May 23 2012|12:02:15|402116|192.168.50.2||10.29.0.2||IPSEC: Received an ESP packet (SPI= 0x1C2967CE, sequence number= 0x34) from 192.168.50.2 (user= 192.168.50.2) to 10.29.0.2.  The decapsulated inner packet doesn't match the negotiated policy in the SA.  The packet specifies its destination as 172.30.1.38, its source as 10.1.5.27, and its protocol as tcp.  The SA specifies its local proxy as 172.30.1.38/255.255.255.255/tcp/0 and its remote_proxy as 10.1.5.27/255.255.255.255/tcp/61701.

4|May 23 2012|12:01:43|402116|192.168.50.2||10.29.0.2||IPSEC: Received an ESP packet (SPI= 0x1C2967CE, sequence number= 0x32) from 192.168.50.2 (user= 192.168.50.2) to 10.29.0.2.  The decapsulated inner packet doesn't match the negotiated policy in the SA.  The packet specifies its destination as 172.30.1.38, its source as 10.1.5.27, and its protocol as tcp.  The SA specifies its local proxy as 172.30.1.38/255.255.255.255/tcp/0 and its remote_proxy as 10.1.5.27/255.255.255.255/tcp/61701.

4|May 23 2012|11:58:43|402116|192.168.50.2||10.29.0.2||IPSEC: Received an ESP packet (SPI= 0x1C2967CE, sequence number= 0x15) from 192.168.50.2 (user= 192.168.50.2) to 10.29.0.2.  The decapsulated inner packet doesn't match the negotiated policy in the SA.  The packet specifies its destination as 172.30.1.38, its source as 10.1.5.27, and its protocol as tcp.  The SA specifies its local proxy as 172.30.1.38/255.255.255.255/tcp/0 and its remote_proxy as 10.1.5.27/255.255.255.255/tcp/61701.

4|May 23 2012|11:58:35|402116|192.168.50.2||10.29.0.2||IPSEC: Received an ESP packet (SPI= 0x1C2967CE, sequence number= 0x13) from 192.168.50.2 (user= 192.168.50.2) to 10.29.0.2.  The decapsulated inner packet doesn't match the negotiated policy in the SA.  The packet specifies its destination as 172.30.1.38, its source as 10.1.5.27, and its protocol as tcp.  The SA specifies its local proxy as 172.30.1.38/255.255.255.255/tcp/0 and its remote_proxy as 10.1.5.27/255.255.255.255/tcp/61701.

5|M

In addition

thanks

Labels:
0 Helpful
1 Reply 1

Jennifer Halim
Cisco Employee
Cisco Employee

‎05-23-2012 08:09 PM

The error message means that the crypto ACL does not mirror image, or match, hence it's not working.

The best recommended way is to configure "IP" on the crypto ACL, and use access-list applied on the interface, or use vpn-filter to filter port specific access.

Here is the sample configuration for vpn-filter:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

Hope that helps.

0 Helpful
Customers Also Viewed These Support Documents