troubleshooting Question

Encrypted packet with no matching SA between ASA 5516 and Sophos SG430

Avatar of jyoung1974
jyoung1974 asked on
SophosCiscoVPN* ASA5516
2 Comments1 Solution10 ViewsLast Modified:
We have a site to site connection that appears to be up between a Sophos SG430 UTM and a Cisco ASA 5516. The Sophos device does not do IKEV2, so please no recommendations on that. Phase 2 Completes on both devices and appears to be fine, but no traffic is going over the tunnel. Both of us can see traffic going in to the tunnel and hitting the firewall rules. No issues are found in debug on the Cisco side, and the only error I can get is the following:

 [IKEv1]IP=149.56.62.35, Received encrypted packet with no matching SA, dropping

System Configs:

SG430 9.705-3

IKE Envryption Algorithm: AES 256
IKE Authentication algotrithm: SHA1
IKE SA lifetime: 28800
IKE DH group: Group 5: MODP 1536
IPsec encryption algorithm: AES 256
IPsec authentication algorithm: SHA1
IPsec SA lifetime: 28800
IPsec PFS groiup: Group 5: MODP 1536
Strict Policy (not checked)
Compression: (not checked)

After tunnel comes up: IPS SAs established

SA: 192.168.0.0/24=149.56.62.35 -> 81.34.65.184=10.0.1.0/24
VPN ID: 149.56.62.35
IKE: Auth PSK/EncAES_CBC_256/Hash HMAC_SHA1 /Lifetime 28800s/ PFS MODP_1536 / DPD
ESP: Enc AES_CBC_256 / Hash HMAC_SHA1 / Lifetime28800s


ASA 5516 9.8(4)32

access-list inside_access_in extended permit ip 10.0.1.0 255.255.0.0 192.168.0.0 255.255.255.0
access-list outside_access_in extended permit ip 192.168.0.0 255.255.255.0 10.0.1.0 255.255.0.0

access-list outside_cryptomap_14 extended permit ip 10.0.1.0 255.255.0.0 192.168.0.0 255.255.255.0

nat (any,any) source static 10.0.1.0 255.255.0.0 10.0.1.0 255.255.0.0 destination static 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0 no-proxy-arp

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport

crypto map outside_map 14 match address outside_cryptomap_14
crypto map outside_map 14 set pfs group5
crypto map outside_map 14 set peer 149.56.62.35
crypto map outside_map 14 set ikev1 transform-set ESP-AES-256-MD5 ESP-AES-256-SHA
crypto map outside_map 14 set security-association lifetime kilobytes 46080000
crypto map outside_map 14 set nat-t-disable
crypto map outside_map 14 set reverse-route

crypto ikev1 policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 28800

group-policy tunnel-policy internal
group-policy tunnel-policy attributes
 vpn-filter value outside_cryptomap_14
 vpn-tunnel-protocol ikev1 l2tp-ipsec


tunnel-group 149.56.62.35 type ipsec-l2l
tunnel-group 149.56.62.35 general-attributes
 default-group-policy tunnel-policy
tunnel-group 149.56.62.35 ipsec-attributes
 ikev1 pre-shared-key xxxxx
 peer-id-validate nocheck


ASKER CERTIFIED SOLUTION
Join our community to see this answer!
Unlock 1 Answer and 2 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 2 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros