IPSec PIX 501 - ASA 5510 -> log flooded with %ASA-4-402116
 




IT Certification FAQ
 
|
Home
 |
Microsoft
 |
CISCO
 |
CompTIA
 |
Exam/Study FAQ
 |
Employment FAQ
 | Links  | Forums  |
Book Reviews


FAQFAQ  SearchSearch  MemberlistMemberlist  UsergroupsUsergroups  RegisterRegister  ProfileProfile  Log in to check your private messagesPrivate messages  Log inLog in

IPSec PIX 501 - ASA 5510 -> log flooded with %ASA-4-402116

 
Post new topic   Reply to topic    Forum Index -> comp.dcom.sys.cisco
Author Message
Tilman Schmidt
Guest
PostPosted: Thu Jan 24, 2008 2:14 pm    Post subject: IPSec PIX 501 - ASA 5510 -> log flooded with %ASA-4-402116 Reply with quote
In a VPN of eight PIXen (501 and 515E), fully meshed with IPSec tunnels,
one of the nodes has been upgraded to an ASA 5510 to increase performance.
I have migrated the config according to the book, and everything is
running fine, but the new ASA is spamming my central log server with
messages like this:

%ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0xxxxxxxxx, sequence number= 0xxxxx) from <pix-ip> (user= <pix-ip>) to <asa-ip>. The decapsulated inner
packet doesn't match the negotiated policy in the SA. The packet specifies its destination as <asa-client>, its source as <src>, and its protocol as 1. The SA
specifies its local proxy as <asa-client-net>/<asa-client-netmask>/0/0 and its remote_proxy as <pix-client-net>/<pix-client-netmask>/0/0.

where <src> is either
- an IP address which doesn't match any access-list entry in the sending
PIX' config and therefore shouldn't have been encapsulated in the first
place, or
- an IP address which does match one of several access-list entries for
the crypto map on the receiving ASA, but the log message lists a
different, non-matching entry of the same access-list.

Example for the second case because I'm not sure my description is very
clear:

%ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0xAB0323B4, sequence number= 0x127) from <pix-ip> (user= <pix-ip>) to <asa-ip>. The decapsulated inner
packet doesn't match the negotiated policy in the SA. The packet specifies its destination as 192.168.1.101, its source as 10.111.1.2, and its protocol as 1.
The SA specifies its local proxy as 192.168.1.0/255.255.255.0/0/0 and its remote_proxy as 10.0.0.0/255.255.0.0/0/0.

where the relevant access-list is:

access-list pixtoasa extended permit ip 192.168.1.0 255.255.255.0 10.111.1.0 255.255.255.0
access-list pixtoasa extended permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.0.0
access-list pixtoasa extended permit ip host <asa-ip> 10.0.0.0 255.255.0.0
access-list pixtoasa extended permit ip 192.168.246.0 255.255.255.0 10.111.1.0 255.255.255.0
crypto map vpnmap 40 match address pixtoasa

What might cause this and, more importantly, how can I get rid of it,
short of saying "no logging message 402116"?

aTdHvAaNnKcSe
Tilman

--
Please excuse my bad English/German/French/Greek/Cantonese/Klingon/...
Back to top
Display posts from previous:   
Post new topic   Reply to topic    Forum Index -> comp.dcom.sys.cisco All times are GMT
Page 1 of 1

 

Copyright © 2002-2006 Web-S-Sense Pty. Ltd. All rights reserved.

Powered by phpBB
Advertising | Policies/Disclaimers | Contact us | Link to us

Featured Sites: Free Antivirus and Antispyware Info | Free PC Support | MCSE Directory