PIX to ASA IPSec SA mixup

An IPSec tunnel between a PIX 501 Version 6.3 (phnx-bn-gw) and an ASA 5510 Version 7.2 (vcservnet-gw) frequently produces these messages on the ASA side:

Aug 27 05:52:22 vcservnet-gw %ASA-4-402116: IPSEC: Received an ESP packet (SPI=

0x2A9F2022, sequence number= 0x25C) from phnx-bn-gw (user= phnx-bn-gw) to vcservnet-gw. The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as, its source as, and its protocol as 1. The SA specifies its local proxy as and its remote_proxy as

The crypto maps are defined on the PIX side by:

access-list vcservnet permit ip access-list vcservnet permit ip

and on the ASA side by:

access-list phnx-bn extended permit ip access-list phnx-bn extended permit ip

Both of these entries appear in in "show ipsec sa peer phnx-bn-gw", with encaps/decaps counters indicating a perfectly working SA. But somehow, some packets arriving on the ASA side apparently get matched up against the wrong one.

Any ideas why, and how to prevent that?

Thanks, Tilman

Reply to
Tilman Schmidt
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.