10-27-2010 12:45 AM
Hi,
I have VPN between Cisco ASA and Cisco PIX.
I have seen in my syslog server this error which appears once a day more or less:
Received encrypted packet with no matching SA, dropping
I´ve seen this issue in another post but in none of then the solution.
These are my configuration files of the firewalls:
Result of the command: "show running-config"
: Saved
:
ASA Version 8.2(1)
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map WAN_map2 2 match address WAN_cryptomap_1
crypto map WAN_map2 2 set pfs
crypto map WAN_map2 2 set peer 62.80.XX.XX
crypto map WAN_map2 2 set transform-set ESP-DES-MD5
crypto map WAN_map2 2 set security-association lifetime seconds 2700
crypto map WAN_map2 2 set nat-t-disable
crypto map WAN_map2 interface WAN
crypto isakmp enable LAN
crypto isakmp enable WAN
crypto isakmp policy 1
authentication pre-share
encryption des
hash md5
group 5
lifetime 28800
no crypto isakmp nat-traversal
tunnel-group 62.80.XX.XX type ipsec-l2l
tunnel-group 62.80.XX.XX ipsec-attributes
pre-shared-key *
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
PIX Version 8.0(4)
!
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map VPN_map2 3 match address VPN_cryptomap_2
crypto map VPN_map2 3 set pfs
crypto map VPN_map2 3 set peer 194.30.XX.XX
crypto map VPN_map2 3 set transform-set ESP-DES-MD5
crypto map VPN_map2 3 set security-association lifetime seconds 2700
crypto map VPN_map2 3 set security-association lifetime kilobytes 4608000
crypto map VPN_map2 3 set nat-t-disable
crypto map VPN_map2 interface VPN
crypto isakmp enable VPN
crypto isakmp enable inside
crypto isakmp policy 30
authentication pre-share
encryption des
hash md5
group 5
lifetime 28800
no crypto isakmp nat-traversal
crypto isakmp am-disable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec
tunnel-group 194.30.XX.XX type ipsec-l2l
tunnel-group 194.30.XX.XX ipsec-attributes
pre-shared-key *
If you need more dedailed information ask me.
Thanks in advance for your help.
Javi
Solved! Go to Solution.
11-15-2010 03:01 AM
Hi Prapanch,
The error between Cisco Pix and Cisco ASA has disappeared!!!
I've seen that SA dropping error persists between Cisco PIX and Stonegate Firewall. If I attach the debug logs from Cisco PIX, Could you help me to find the problem?
Thank you very much for all!!
Javi
11-15-2010 06:43 AM
Hi Javi,
Absolutely.
Regards,
Prapanch
11-16-2010 05:47 AM
11-17-2010 08:24 AM
Hi Javi,
I went through logs and it looks like Phase 2 rekey is happening when you receive those messages. Try increasing the phase 2 lifetime to something higher (currently is something around 2300 seconds).
Regards,
Prapanch
11-17-2010 11:57 PM
Hi Prapanch,
Phase2 is configured with 45 minutes and 4608000KB.
If you see the logs I've attached, the error (Received encrypted packet with no matching SA, dropping) doesn't appear each 45 minutes.
Do you think if I change the phase2 lifetime and configure higher values, the issue will be resolved ?.
What values are recommended?
Thanks!!
Javi
11-18-2010 07:55 AM
Hi Javi,
Let's try increasing it and see if it helps. Maybe to 3 hours or so?
Cheers,
Prapanch
11-18-2010 08:02 AM
Hi Prapanch,
I've already increased to 3 hours.
Tomorow I'll post the results.
Thanks again!!
Javi
11-22-2010 12:20 AM
11-22-2010 08:55 AM
Hi Javi,
How often do u see it now? Any change after changing the lifetime values? These are normal messages that come up during a rekey. These housld not cause any communication issues.
regards,
prapanch
11-22-2010 11:16 PM
11-23-2010 05:07 AM
Looking at the logs, it seems to be coinciding with a rekey which we can confirm only using debugs. If it is not causing any connectivity issues, there is nothing to worry about.
Cheers,
Prapanch
11-23-2010 05:16 AM
Hi,
6 months ago I posted this issue:
https://supportforums.cisco.com/thread/2018053?tstart=0
I don't know if this issue will appear newly with the new configuration (vpn idle timeout none) and maybe it resolve this issue too.
Regards,
Javi
11-23-2010 05:27 AM
Is the other still occuring?
11-23-2010 05:51 AM
I've replaced ASA firewall by Fortinet firewall because it was installed in China and when this issue happened I was sleeping and then they can't connect to HQ and nobody could help them.
Now I've installed this ASA in my network testing lab, doing a VPN with Stonegate. I have monitoring this VPN. In this firewall I changed vpn idle timeout paramater too. Maybe with this change the issue has solved indirectly.
Then, I think it's better I close this post and if the issue persists and if you want, I can send you a message.
Thanks for your priceless help!!!
11-23-2010 06:03 AM
Hi Javi,
Sure. Rather than a message, just open up a thread so that others can take a look at it in case they face similar issues.
Cheers,
Prapanch
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide