Hi Kawaii,
It seems to have proxy IDs mismatch .
-- Thanks Shahid Ansari Solution Architect CCIE#20017 Kuwait On Wed, Mar 16, 2011 at 11:25 AM, kawaii mak <kawaii00mak_at_gmail.com> wrote: > Dear Expert, > I have a question about a Cisco FW (ASA5520+ with v8.2(2)) setup to connect > a Netscreen SSG20 for Site-to-Site VPN tunnel. > Tunnel negotiation was completed Phase1 & Phase2. Private traffic initiated > from ASA side(10.194.x.x) to Netscreen side(192.168.x.x) but seems there is > unreachable. And some of message occurs in ASA while packet return back > from > Netscreen side as follow. Is anything wrong in configuration to triggle for > these message???? > P'se help!!! Thank. > > firewall log > ============== > 4|Mar 15 2011 12:26:53|402116: IPSEC: Received an ESP packet (SPI= > 0x24F592BC, sequence number= 0x1) from 210.x.x.x (user= 210.x.x.x) to > 203.x.x.x. The decapsulated inner packet doesn't match the negotiated > policy in the SA. The packet specifies its destination as 203.x.x.x, its > source as 210.x.x.x, and its protocol as 1. The SA specifies its local > proxy as 10.194.x.x/255.255.255.255/0/0 and its remote_proxy as > 192.168.x.x/ > 255.255.255.255/0/0. > > Regards, > Kawaii > > > Blogs and organic groups at http://www.ccie.net > > _______________________________________________________________________ > Subscription information may be found at: > http://www.groupstudy.com/list/CCIELab.html Blogs and organic groups at http://www.ccie.netReceived on Wed Mar 16 2011 - 11:58:06 ART
This archive was generated by hypermail 2.2.0 : Fri Apr 01 2011 - 06:35:41 ART