06-16-2005 03:20 AM
hi,
i am using a PIX and netscreen box to perform a VPN connection.
when i perform a "show ipsec sa", i can see that the VPN was being established, but there was no traffic flow. I noticed that the receive error counter was increasing constantly.
When i looked at the log, it was displaying log-id: 402103:
Explanation An unencapsulated IPSec packet does not match the negotiated identity. The peer is sending other traffic through this security association. It may be due to an security association selection error by the peer. This may be a hostile event.
Recommended Action Contact the peer's administrator to compare policy settings.
When i compared both sides' setting, everything looks ok (but i could have missed out something).
can anyone advised me on this?
thanks
06-16-2005 03:29 AM
Kian,
Have a read of the following document and see if this helps, if need further help then reply back.
If this helps then please remember to rate post.
Thanks,
Jay
06-16-2005 08:23 AM
Hi,
I did read that document before posting. Try to follow as close as possible to the recommended config.
Personally, if phase 1 and 2 were able to pass, i think the SA parameters should be ok.(correct me if I am wrong).
So I need to clear some doubts here:
1. What are the possible reasons for causing the receive error counter to increase?
2. On my netscreen, the subnet that is supposed to trigger the VPN is configured as a secondary subnet on the trusted interface, is there any potential issue?
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide