I have two IPSEC tunnels with an ASA in the middle
Site A Calverton (Digi Transport WR44v2 - 10.20.4.0 /24
Site B Formac (AWS)- 192.168.142.0 /24
HQ Data Centre (ASA) - 10.99.206.0 /24 (22.214.171.124)
Site A - 10.20.4.0 /24 can reach the ASA and Site B successfully
ASA can reach Site A and Site B successfully
Site B can reach ASA but fails to ping Site A
I've been running a continuous ping from 192.168.142.25 and see this on the ASA:
4|Feb 28 2019 10:01:53|402116: IPSEC: Received an ESP packet (SPI= 0x41AD96C1, sequence number= 0x17BF) from 126.96.36.199 (user= 188.8.131.52) to 184.108.40.206. The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as 10.20.4.1, its source as 192.168.142.25, and its protocol as icmp. The SA specifies its local proxy as 10.99.206.0/255.255.255.0/ip/0 and its remote_proxy as 192.168.142.0/255.255.255.0/ip/0.
I've looked this up and it describes the message as a NAT error but nothing specific. Could someone please explain what this error could potentially be caused by?
I've attached the Cisco ASA configuration as well as the Digi VPN tunnel configuration below. On the Digi, should I add the remote subnet as HQ or Formac?
Cisco ASA >>> https://www.dropbox.com/s/7xsghp2xhhkeaff/VPN%20ASA.txt?dl=0
Digi VPN >>>> https://www.dropbox.com/s/prfdas4gwbqifp9/Calverton%20VPN.docx?dl=0
AWS VPN >>>>> https://www.dropbox.com/s/lmqqbqzzzpysqu9/Site%20B%20VPN.docx?dl=0
I'm going around in circles at this point so would really appreciate any assistance.
Thanks in advance.