1 Reply Latest reply on Dec 1, 2014 4:32 AM by PhilM

    Packets are dropped due to IPSec negotiation failure

    vstalin

      Hi Folks,

       

      McAfee Firewall Enterprise (SideWinder) v8.3.2

       

      I have formed a site-site VPN topology for my testing. I am getting the following message in "acat -ak" logs.

       

      reason: Dropped an outbound packet during IPsec processing because there was no security association available.

       

       

      Tunnel is not getting established and I am not able to ping/reach the server side network. I checked for all the configuration, route reachability. Everything looks fine. But still didn't get any clue on why VPN Tunnel is not getting created.

       

      Any help would be appreciated!

       

      BR,

      ViveK

        • 1. Re: Packets are dropped due to IPSec negotiation failure
          PhilM

          From what I can recall, this message sometimes indicates that there's a mismatch between the source/destination of the packets you are trying to send over the tunnel and the Local/Remote values entered in to the VPN definition.

           

          Have you tried sending traffic to the other side of the VPN directly from the Firewall CLI?

           

          Try running "showaudit -kv" before testing the tunnel. This should give you VPN specific audit messages which may reveal something else. It could be that there is something else which is stopping the security association from establishing and the errors you are seeing in "acat -ak" are then related to subsequent packets trying to pass through after the security association has already failed.