jyoung1974
asked on
Encrypted packet with no matching SA between ASA 5516 and Sophos SG430
We have a site to site connection that appears to be up between a Sophos SG430 UTM and a Cisco ASA 5516. The Sophos device does not do IKEV2, so please no recommendations on that. Phase 2 Completes on both devices and appears to be fine, but no traffic is going over the tunnel. Both of us can see traffic going in to the tunnel and hitting the firewall rules. No issues are found in debug on the Cisco side, and the only error I can get is the following:
[IKEv1]IP=149.56.62.35, Received encrypted packet with no matching SA, dropping
System Configs:
SG430 9.705-3
IKE Envryption Algorithm: AES 256
IKE Authentication algotrithm: SHA1
IKE SA lifetime: 28800
IKE DH group: Group 5: MODP 1536
IPsec encryption algorithm: AES 256
IPsec authentication algorithm: SHA1
IPsec SA lifetime: 28800
IPsec PFS groiup: Group 5: MODP 1536
Strict Policy (not checked)
Compression: (not checked)
After tunnel comes up: IPS SAs established
SA: 192.168.0.0/24=149.56.62.35 -> 81.34.65.184=10.0.1.0/24
VPN ID: 149.56.62.35
IKE: Auth PSK/EncAES_CBC_256/Hash HMAC_SHA1 /Lifetime 28800s/ PFS MODP_1536 / DPD
ESP: Enc AES_CBC_256 / Hash HMAC_SHA1 / Lifetime28800s
ASA 5516 9.8(4)32
access-list inside_access_in extended permit ip 10.0.1.0 255.255.0.0 192.168.0.0 255.255.255.0
access-list outside_access_in extended permit ip 192.168.0.0 255.255.255.0 10.0.1.0 255.255.0.0
access-list outside_cryptomap_14 extended permit ip 10.0.1.0 255.255.0.0 192.168.0.0 255.255.255.0
nat (any,any) source static 10.0.1.0 255.255.0.0 10.0.1.0 255.255.0.0 destination static 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0 no-proxy-arp
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto map outside_map 14 match address outside_cryptomap_14
crypto map outside_map 14 set pfs group5
crypto map outside_map 14 set peer 149.56.62.35
crypto map outside_map 14 set ikev1 transform-set ESP-AES-256-MD5 ESP-AES-256-SHA
crypto map outside_map 14 set security-association lifetime kilobytes 46080000
crypto map outside_map 14 set nat-t-disable
crypto map outside_map 14 set reverse-route
crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 28800
group-policy tunnel-policy internal
group-policy tunnel-policy attributes
vpn-filter value outside_cryptomap_14
vpn-tunnel-protocol ikev1 l2tp-ipsec
tunnel-group 149.56.62.35 type ipsec-l2l
tunnel-group 149.56.62.35 general-attributes
default-group-policy tunnel-policy
tunnel-group 149.56.62.35 ipsec-attributes
ikev1 pre-shared-key xxxxx
peer-id-validate nocheck
[IKEv1]IP=149.56.62.35, Received encrypted packet with no matching SA, dropping
System Configs:
SG430 9.705-3
IKE Envryption Algorithm: AES 256
IKE Authentication algotrithm: SHA1
IKE SA lifetime: 28800
IKE DH group: Group 5: MODP 1536
IPsec encryption algorithm: AES 256
IPsec authentication algorithm: SHA1
IPsec SA lifetime: 28800
IPsec PFS groiup: Group 5: MODP 1536
Strict Policy (not checked)
Compression: (not checked)
After tunnel comes up: IPS SAs established
SA: 192.168.0.0/24=149.56.62.35 -> 81.34.65.184=10.0.1.0/24
VPN ID: 149.56.62.35
IKE: Auth PSK/EncAES_CBC_256/Hash HMAC_SHA1 /Lifetime 28800s/ PFS MODP_1536 / DPD
ESP: Enc AES_CBC_256 / Hash HMAC_SHA1 / Lifetime28800s
ASA 5516 9.8(4)32
access-list inside_access_in extended permit ip 10.0.1.0 255.255.0.0 192.168.0.0 255.255.255.0
access-list outside_access_in extended permit ip 192.168.0.0 255.255.255.0 10.0.1.0 255.255.0.0
access-list outside_cryptomap_14 extended permit ip 10.0.1.0 255.255.0.0 192.168.0.0 255.255.255.0
nat (any,any) source static 10.0.1.0 255.255.0.0 10.0.1.0 255.255.0.0 destination static 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0 no-proxy-arp
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto map outside_map 14 match address outside_cryptomap_14
crypto map outside_map 14 set pfs group5
crypto map outside_map 14 set peer 149.56.62.35
crypto map outside_map 14 set ikev1 transform-set ESP-AES-256-MD5 ESP-AES-256-SHA
crypto map outside_map 14 set security-association lifetime kilobytes 46080000
crypto map outside_map 14 set nat-t-disable
crypto map outside_map 14 set reverse-route
crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 28800
group-policy tunnel-policy internal
group-policy tunnel-policy attributes
vpn-filter value outside_cryptomap_14
vpn-tunnel-protocol ikev1 l2tp-ipsec
tunnel-group 149.56.62.35 type ipsec-l2l
tunnel-group 149.56.62.35 general-attributes
default-group-policy tunnel-policy
tunnel-group 149.56.62.35 ipsec-attributes
ikev1 pre-shared-key xxxxx
peer-id-validate nocheck
Last Comment
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Cisco
Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).
27K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
If tunnels up and no traffic is flowing is then it's either a NAT problem - thats easy to test on the ASA issue a 'management-access inside' command then ping the inside interface of the ASA from something behind the Sophos box if that replies your problem will probably be NAT related.
Looking at packets encrypting and packets decrypting in the phase 2 troubleshooting is usually the best indicator of 'where the problem is'.
</P>