IPSec PIX 501 - ASA 5510 -> log flooded with %ASA-4-402116

Discussion in 'Cisco' started by Tilman Schmidt, Jan 24, 2008.

  1. In a VPN of eight PIXen (501 and 515E), fully meshed with IPSec tunnels,
    one of the nodes has been upgraded to an ASA 5510 to increase performance.
    I have migrated the config according to the book, and everything is
    running fine, but the new ASA is spamming my central log server with
    messages like this:

    %ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0xxxxxxxxx, sequence number= 0xxxxx) from <pix-ip> (user= <pix-ip>) to <asa-ip>. The decapsulated inner
    packet doesn't match the negotiated policy in the SA. The packet specifies its destination as <asa-client>, its source as <src>, and its protocol as 1. The SA
    specifies its local proxy as <asa-client-net>/<asa-client-netmask>/0/0 and its remote_proxy as <pix-client-net>/<pix-client-netmask>/0/0.

    where <src> is either
    - an IP address which doesn't match any access-list entry in the sending
    PIX' config and therefore shouldn't have been encapsulated in the first
    place, or
    - an IP address which does match one of several access-list entries for
    the crypto map on the receiving ASA, but the log message lists a
    different, non-matching entry of the same access-list.

    Example for the second case because I'm not sure my description is very
    clear:

    %ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0xAB0323B4, sequence number= 0x127) from <pix-ip> (user= <pix-ip>) to <asa-ip>. The decapsulated inner
    packet doesn't match the negotiated policy in the SA. The packet specifies its destination as 192.168.1.101, its source as 10.111.1.2, and its protocol as 1.
    The SA specifies its local proxy as 192.168.1.0/255.255.255.0/0/0 and its remote_proxy as 10.0.0.0/255.255.0.0/0/0.

    where the relevant access-list is:

    access-list pixtoasa extended permit ip 192.168.1.0 255.255.255.0 10.111.1.0 255.255.255.0
    access-list pixtoasa extended permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.0.0
    access-list pixtoasa extended permit ip host <asa-ip> 10.0.0.0 255.255.0.0
    access-list pixtoasa extended permit ip 192.168.246.0 255.255.255.0 10.111.1.0 255.255.255.0
    crypto map vpnmap 40 match address pixtoasa

    What might cause this and, more importantly, how can I get rid of it,
    short of saying "no logging message 402116"?

    aTdHvAaNnKcSe
    Tilman

    --
    Please excuse my bad English/German/French/Greek/Cantonese/Klingon/...
     
    Tilman Schmidt, Jan 24, 2008
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Tilman Schmidt
    Replies:
    5
    Views:
    19,068
    Lutz Donnerhacke
    Feb 18, 2008
  2. Mag
    Replies:
    9
    Views:
    693
  3. Mag
    Replies:
    2
    Views:
    1,981
    alexd
    Jan 31, 2009
  4. Dav
    Replies:
    2
    Views:
    1,377
    Igor Mamuziæ aka Pseto
    May 5, 2009
  5. j1344
    Replies:
    0
    Views:
    928
    j1344
    Jul 23, 2009
Loading...

Share This Page