Avatar of jyoung1974

asked on 

Encrypted packet with no matching SA between ASA 5516 and Sophos SG430

We have a site to site connection that appears to be up between a Sophos SG430 UTM and a Cisco ASA 5516. The Sophos device does not do IKEV2, so please no recommendations on that. Phase 2 Completes on both devices and appears to be fine, but no traffic is going over the tunnel. Both of us can see traffic going in to the tunnel and hitting the firewall rules. No issues are found in debug on the Cisco side, and the only error I can get is the following:

 [IKEv1]IP=, Received encrypted packet with no matching SA, dropping

System Configs:

SG430 9.705-3

IKE Envryption Algorithm: AES 256
IKE Authentication algotrithm: SHA1
IKE SA lifetime: 28800
IKE DH group: Group 5: MODP 1536
IPsec encryption algorithm: AES 256
IPsec authentication algorithm: SHA1
IPsec SA lifetime: 28800
IPsec PFS groiup: Group 5: MODP 1536
Strict Policy (not checked)
Compression: (not checked)

After tunnel comes up: IPS SAs established

SA: ->
IKE: Auth PSK/EncAES_CBC_256/Hash HMAC_SHA1 /Lifetime 28800s/ PFS MODP_1536 / DPD
ESP: Enc AES_CBC_256 / Hash HMAC_SHA1 / Lifetime28800s

ASA 5516 9.8(4)32

access-list inside_access_in extended permit ip
access-list outside_access_in extended permit ip

access-list outside_cryptomap_14 extended permit ip

nat (any,any) source static destination static no-proxy-arp

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport

crypto map outside_map 14 match address outside_cryptomap_14
crypto map outside_map 14 set pfs group5
crypto map outside_map 14 set peer
crypto map outside_map 14 set ikev1 transform-set ESP-AES-256-MD5 ESP-AES-256-SHA
crypto map outside_map 14 set security-association lifetime kilobytes 46080000
crypto map outside_map 14 set nat-t-disable
crypto map outside_map 14 set reverse-route

crypto ikev1 policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 28800

group-policy tunnel-policy internal
group-policy tunnel-policy attributes
 vpn-filter value outside_cryptomap_14
 vpn-tunnel-protocol ikev1 l2tp-ipsec

tunnel-group type ipsec-l2l
tunnel-group general-attributes
 default-group-policy tunnel-policy
tunnel-group ipsec-attributes
 ikev1 pre-shared-key xxxxx
 peer-id-validate nocheck

SophosCiscoVPN* ASA5516

Avatar of undefined
Last Comment
Pete Long
Avatar of Jan Bacher
Jan Bacher
Flag of United States of America image

Blurred text
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Avatar of Pete Long
Pete Long
Flag of United Kingdom of Great Britain and Northern Ireland image

I'm willing to bet phase 1 is up here's how to check. Make sure Phase 2 is established - the SA error may well point to a phase 2 mismatch or it might be something strange like PFS is on on one side. here's how to check that.

If tunnels up and no traffic is flowing is then it's either a NAT problem - thats easy to test on the ASA issue a 'management-access inside' command then ping the inside interface of the ASA from something behind the Sophos box if that replies your problem will probably be NAT related.

Looking at packets encrypting and packets decrypting in the phase 2 troubleshooting is usually the best indicator of 'where the problem is'.



Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).

Top Experts
Get a personalized solution from industry experts
Ask the experts
Read over 600 more reviews


IBM logoIntel logoMicrosoft logoUbisoft logoSAP logo
Qualcomm logoCitrix Systems logoWorkday logoErnst & Young logo
High performer badgeUsers love us badge
LinkedIn logoFacebook logoX logoInstagram logoTikTok logoYouTube logo