"Inbound IPSec policy check failed for packet" error setting up LAN to LAN

ittiadmin · ‎02-01-2005

I am setting up LAN to LAN between cisco concentrator and netscreen . I am getting following error "Inbound IPSec policy check failed for packet" when i try to ping the host across the VPN tunnel(Cannot ping the host).However i am able to estable the tunnel after sucessfully completing phase 1 and phase 2.

I am using md5 & 3DES for IKE and IPsec with no PFS. everything seems to be fine, But not sure why i am getting this error.

Any help or suggestions are appreciated.

ehirsel · ‎02-02-2005

I want to make sure I understand your problem correctly. If the tunnel is not active and you try the ping, you get the error messages, but the tunnel does get established (completing phase 1 and phase 2) and so if you try the same ping a short while later, it is successful. Is that correct? If so, then you may get those messages because each icmp packet is not retransmitted, so the vpn concentrator logs that it is dropping the packet. Tear down the vpn tunnel and try a test with telnet, ftp, or some other tcp-based protocol (as tcp packets that are not ack'ed will be retransmitted) and let me know if you still get those messages. Post here what you find.

If I am not correct, let me know and we'll proceed from there.

ittiadmin · ‎02-03-2005

Hi, Tunnel is established successfully between cisco concentrator and netscreen device when i try to ping a host on remote side(Ping is not successful).

After Tunnel is established(phase1 and Phase2), We cannot ping or connect to host on other side of the VPN through telnet, ftp or application.

Eachtime i try to establish connectivity, I observe "Inbound IPSec policy check failed for packet" error on concentrator log files.(See the log below)

950 02/03/2005 09:59:13.660 SEV=8 IPSECDBG/16 RPT=21678 xxx.xxx.xxx.xxx

User [xxx.xxx.xxx.xxx]

Inbound IPSec policy check failed for packet

944 02/03/2005 09:59:12.930 SEV=9 IKEDBG/0 RPT=60021 xxx.xxx.xxx.xxx

Group [xxx.xxx.xxx.xxx]

processing hash

941 02/03/2005 09:59:12.910 SEV=4 IKE/120 RPT=7588 xxx.xxx.xxx.xxx

Group [xxx.xxx.xxx.xxx]

PHASE 2 COMPLETED

ehirsel · ‎02-03-2005

Please post the relevant ipsec config on the concentrator here, and I will examine it.

ehirsel · ‎02-13-2005

Just following up to see if you still have this issue. If so, please post the relevant part of the configs here and I'll examine them to see if I can help any further.

ittiadmin · ‎02-14-2005

Sorry, Didnt get to read ur previous post. Still no luck with connectivity. We tried connecting to Netscren using PFS group 2 and also without PFS group 2, We changed from 3DES-MD5 to 3DES-SHA. Still the problem exist.

basically we are against the wall at this point of time. Let me know what more info you need in detail and i will send the details to you.

Thanks for followup.

ehirsel · ‎02-19-2005

Please post the relvant parts of the netscreen and concentrator devices and I will try to examine them.

Are there any nat/pat devices in between the two gateways?

ittiadmin · ‎02-22-2005

Hi, Yes I have a router doing a NAT translation. What troubles me is I have couple of LAN to LAN tunnel and also client connection which are working fine.

During troubleshooting, I am able to successfully connect to another netscreen device with same setting but not to my customer netscreen device. My Customer also have couple of working lan to lan tunnel to their customer on their netscreen device.

ehirsel · ‎02-25-2005

How is the nat translation done by the router? Does it perform nat for certain connections but not others? It may be that nat is being done when it should not, or vice versa.