11-21-2002 09:04 AM - edited 02-21-2020 12:11 PM
Hi,
I've just had a hand in setting up two remote sites to connect to our main site through vpn. Everything appears to be working fine however I am getting an error showing on my syslog server along the lines of:
Identity doesn't match negotiated identity ip dest (ip) source (remote ip) prot:icmp ident local remote ranges
Any idea's?
Thanks for your time.
Andy
11-21-2002 09:23 AM
It means that traffic is being sent via icmp that doesn't match your access list specified as interesting traffic so its being dropped. Possible your access-list used for interesting traffic do not mirror each other identically. Could be the subnets you are using or perhaps by protocol. For example you have on one side pixA:
access-list 100 permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0
and pixB:
access-list 100 permit 192.168.1.0 255.255.255.0 10.0.0.0 255.0.0.0
So sending traffic from A to B is no problem cause the class C subnet falls with in the class a of pixB. But when sending traffic from pixB to pixA, pixA is more restrictive so it doesn't match.
Kurtis Durrett
11-29-2002 03:46 AM
cheers for your help. The other firewall is a netscreen box, so I assume it will be different to our setup anyway - which as you say would be the answer.
Andy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide