Received encrypted packet with no matching SA, dropping

sridhar ch · ‎07-08-2012

Hi,

My VPN tunnel is getting down for every 2 hrs approximately, and will reset automatically after 40-50 min. But if i reset the tunnel in between it will come up. I have cisco asa 5520 and check point utm -1 edge at the other end. what could be the issue? when the tunnel is down, i am getting "Reeceived encrypted packet with no matching SA, dropping" this message in asa fw logs.

Thanks,

Sridhar

Mohammad Alhyari · ‎07-14-2012

HI ,

it is normal to see this during rekey and it should not cause a problem .

however in your case it is causing the tunnel to be down for 45 minutes , kindly check the following :

Phase 2 life time at both ends , it should be matching .

and also check those at the time of the failure :

debug crypto isakmp 128

debug crypto ipsec 128

Hope that this helps .

Mohammad.

sridhar ch · ‎07-15-2012

thanks, but unfortunately i am not getting anything when i ran the above commands during the tunnel down. i am attaching the FW logs captured during the issue.

x.x.x.x is the IP address of the remote VPN peer.

Thanks,

Sridhar

Mohammad Alhyari · ‎07-15-2012

HI ,

please check the following :

what are phase 1 and phase 2 lifetimes used on the other side of the tunnel ?

cheers.

Mohammad

sridhar ch · ‎07-15-2012

phase 1- 86400 sec

phase 2 - 8 hrs (28800 sec)

what else can i check to finout the same.

Gurpreet Puri · ‎11-03-2013

Hi Sridhar,

What i was thinking is that there were multiple Security Associations (S.A) tied 2 the same traffic defined by the crypto map. That means that the router on the other end is also receiving the same message.

Regards,
Gurpreet S Puri

****************************
Keep Smiling, Peace
****************************

(Please Rate Helpful Post)

Regards, Gurpreet S Puri **************************** Keep Smiling, Peace :) **************************** (Please Rate Helpful Post)