An IPSec tunnel between a PIX 501 Version 6.3 (phnx-bn-gw) and an ASA 5510 Version 7.2 (vcservnet-gw) frequently produces these messages on the ASA side:
Aug 27 05:52:22 vcservnet-gw %ASA-4-402116: IPSEC: Received an ESP packet (SPI=0x2A9F2022, sequence number= 0x25C) from phnx-bn-gw (user= phnx-bn-gw) to vcservnet-gw. The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as 192.168.1.101, its source as 10.111.1.2, and its protocol as 1. The SA specifies its local proxy as 192.168.1.0/255.255.255.0/0/0 and its remote_proxy as 10.0.0.0/255.255.0.0/0/0.
The crypto maps are defined on the PIX side by:
access-list vcservnet permit ip 10.111.1.0 255.255.255.0 192.168.1.025188.8.131.52 access-list vcservnet permit ip 10.0.0.0 255.255.0.0 192.168.1.0 255.255.255.0
and on the ASA side by:
access-list phnx-bn extended permit ip 192.168.1.0 255.255.255.0 10.111.1.025184.108.40.206 access-list phnx-bn extended permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.0.0
Both of these entries appear in in "show ipsec sa peer phnx-bn-gw", with encaps/decaps counters indicating a perfectly working SA. But somehow, some packets arriving on the ASA side apparently get matched up against the wrong one.
Any ideas why, and how to prevent that?