cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
46737
Views
0
Helpful
5
Replies
Highlighted
Beginner

Received encrypted packet with no matching SA, dropping

Hi,

My VPN tunnel is getting down for every 2 hrs approximately, and will reset automatically after 40-50 min. But if i reset the tunnel in between it will come up. I have cisco asa 5520 and check point utm -1 edge at the other end. what could be the issue? when the tunnel is down, i am getting "Reeceived encrypted packet with no matching SA, dropping" this message in asa fw logs.

Thanks,

Sridhar

Everyone's tags (1)
5 REPLIES 5
Highlighted
Cisco Employee

Received encrypted packet with no matching SA, dropping

HI ,

it is normal to see this during rekey and it should not cause a problem .

however in your case it is causing the tunnel to be down for 45 minutes , kindly check the following :

Phase 2 life time at both ends , it should be matching .

and also check those at the time of the failure :

debug crypto isakmp 128

debug crypto ipsec 128

Hope that this helps .

Mohammad.

Highlighted
Beginner

Re: Received encrypted packet with no matching SA, dropping

thanks, but unfortunately i am not getting anything when i ran the above commands during the tunnel down. i am attaching the FW logs captured during the issue.

x.x.x.x is the IP address of the remote VPN peer.

Thanks,

Sridhar

Highlighted
Cisco Employee

Received encrypted packet with no matching SA, dropping

HI ,

please check the following :

what are phase 1 and phase 2 lifetimes used on the other side of the tunnel ?

cheers.

Mohammad

Highlighted
Beginner

Re: Received encrypted packet with no matching SA, dropping

phase 1- 86400 sec

phase 2 - 8 hrs (28800 sec)

what else can i check to finout the same.

Highlighted
Beginner

Received encrypted packet with no matching SA, dropping

Hi Sridhar,

What i was thinking is that there were multiple Security Associations (S.A) tied 2 the same traffic defined by the crypto map. That means that the router on the other end is also receiving the same message.

Regards,
Gurpreet S Puri

****************************
Keep Smiling, Peace
****************************

(Please Rate Helpful Post)

Regards, Gurpreet S Puri **************************** Keep Smiling, Peace :) **************************** (Please Rate Helpful Post)