Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > IPSec PIX 501 - ASA 5510 -> log flooded with %ASA-4-402116

Reply
Thread Tools

IPSec PIX 501 - ASA 5510 -> log flooded with %ASA-4-402116

 
 
Tilman Schmidt
Guest
Posts: n/a
 
      01-24-2008
In a VPN of eight PIXen (501 and 515E), fully meshed with IPSec tunnels,
one of the nodes has been upgraded to an ASA 5510 to increase performance.
I have migrated the config according to the book, and everything is
running fine, but the new ASA is spamming my central log server with
messages like this:

%ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0xxxxxxxxx, sequence number= 0xxxxx) from <pix-ip> (user= <pix-ip>) to <asa-ip>. The decapsulated inner
packet doesn't match the negotiated policy in the SA. The packet specifies its destination as <asa-client>, its source as <src>, and its protocol as 1. The SA
specifies its local proxy as <asa-client-net>/<asa-client-netmask>/0/0 and its remote_proxy as <pix-client-net>/<pix-client-netmask>/0/0.

where <src> is either
- an IP address which doesn't match any access-list entry in the sending
PIX' config and therefore shouldn't have been encapsulated in the first
place, or
- an IP address which does match one of several access-list entries for
the crypto map on the receiving ASA, but the log message lists a
different, non-matching entry of the same access-list.

Example for the second case because I'm not sure my description is very
clear:

%ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0xAB0323B4, sequence number= 0x127) from <pix-ip> (user= <pix-ip>) to <asa-ip>. The decapsulated inner
packet doesn't match the negotiated policy in the SA. The packet specifies its destination as 192.168.1.101, its source as 10.111.1.2, and its protocol as 1.
The SA specifies its local proxy as 192.168.1.0/255.255.255.0/0/0 and its remote_proxy as 10.0.0.0/255.255.0.0/0/0.

where the relevant access-list is:

access-list pixtoasa extended permit ip 192.168.1.0 255.255.255.0 10.111.1.0 255.255.255.0
access-list pixtoasa extended permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.0.0
access-list pixtoasa extended permit ip host <asa-ip> 10.0.0.0 255.255.0.0
access-list pixtoasa extended permit ip 192.168.246.0 255.255.255.0 10.111.1.0 255.255.255.0
crypto map vpnmap 40 match address pixtoasa

What might cause this and, more importantly, how can I get rid of it,
short of saying "no logging message 402116"?

aTdHvAaNnKcSe
Tilman

--
Please excuse my bad English/German/French/Greek/Cantonese/Klingon/...
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Deny TCP on ASA 5510 from VPN IPSec connection j1344 Cisco 0 07-23-2009 06:18 AM
IPSec VPN Cisco 1812 and ASA 5510 Dav Cisco 2 05-05-2009 07:32 AM
Cisco ASA 5510/5520 and VLAN ? Affect IPSEC Remote User at one vlan Mag Cisco 2 01-31-2009 03:48 PM
Help on Cisco ASA 5510 VPN IPsec Mag Cisco 9 01-07-2009 09:44 AM
ASA 5510 log messages %ASA-4-419002: Duplicate TCP SYN Tilman Schmidt Cisco 5 02-18-2008 12:07 PM



Advertisments