cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
371
Views
0
Helpful
2
Replies

VPN troubleshooting Advise

k18nh0wt8n
Level 1
Level 1

hi,

i am using a PIX and netscreen box to perform a VPN connection.

when i perform a "show ipsec sa", i can see that the VPN was being established, but there was no traffic flow. I noticed that the receive error counter was increasing constantly.

When i looked at the log, it was displaying log-id: 402103:

Explanation An unencapsulated IPSec packet does not match the negotiated identity. The peer is sending other traffic through this security association. It may be due to an security association selection error by the peer. This may be a hostile event.

Recommended Action Contact the peer's administrator to compare policy settings.

When i compared both sides' setting, everything looks ok (but i could have missed out something).

can anyone advised me on this?

thanks

2 Replies 2

jmia
Level 7
Level 7

Kian,

Have a read of the following document and see if this helps, if need further help then reply back.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801c4445.shtml#config-net

If this helps then please remember to rate post.

Thanks,

Jay

Hi,

I did read that document before posting. Try to follow as close as possible to the recommended config.

Personally, if phase 1 and 2 were able to pass, i think the SA parameters should be ok.(correct me if I am wrong).

So I need to clear some doubts here:

1. What are the possible reasons for causing the receive error counter to increase?

2. On my netscreen, the subnet that is supposed to trigger the VPN is configured as a secondary subnet on the trusted interface, is there any potential issue?

Thanks