Event ID - ASA-4-402116

Message CodeASA-4-402116
SeverityWarning
DescriptionIPSEC: Received an protocol packet (SPI=spi, sequence number=seq_num) from remote_IP (username) to local_IP. The decapsulated inner packet doesn’t match the negotiated policy in the SA. The packet specifies its destination as pkt_daddr, its source as pkt_saddr, and its protocol as pkt_prot. The SA specifies its local proxy as id_daddr/id_dmask/id_dprot/id_dport and its remote proxy as id_saddr/id_smask/id_sprot/id_sport.
ExplanationThis message is displayed when a decapsulated IPSec packet does not match the negotiated identity. The peer is sending other traffic through this security association. It may be caused by a security association selection error by the peer, or it may be part of an attack. This message is rate limited to no more than one message every five seconds.
  • protocol—IPSec protocol
  • spi—IPSec Security Parameter Index
  • seq_num—IPSec sequence number.
  • remote_IP—IP address of the remote endpoint of the tunnel.
  • username—Username associated with the IPSec tunnel.
  • local_IP—IP address of the local endpoint of the tunnel.
  • pkt_daddr—Destination address from the decapsulated packet.
  • pkt_saddr—Source address from the decapsulated packet.
  • pkt_prot—Transport protocol from the decapsulated packet.
  • id_daddr—Local proxy IP address
  • id_dmask—Local proxy IP subnet mask
  • id_dprot—Local proxy transport protocol
  • id_dport—Local proxy port
  • id_saddr—Remote proxy IP address
  • id_smask—Remote proxy IP subnet mask
  • id_sprot—Remote proxy transport protocol
  • id_sport—Remote proxy port.
User ActionContact the administrator of the peer and compare policy settings.
Reference Links

Catch threats immediately

We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.

See what we caught

Did this information help you to resolve the problem?

Yes: My problem was resolved.
No: The information was not helpful / Partially helpful.
 Refresh