ACL = deny; no sa created

Answered Question
Feb 23rd, 2007

I am building an IPSec connection between a PIX and concentrator. I receive the following debug message (ACL = deny; no sa created) when traffic initiates from behind the PIX. When traffic initiates from behind the concentrator the tunnel comes up and data passes (from either side) without any errors. The PIX has two acls that associated with the tunnel. The first acl defines NAT and the second defines what is to be encryptted. When initiating traffic from the PIX side, both acls show hits. But captured traffic indicates the PIX does not try to communicate with the concentrator. Any ideas on what ACL = deny; no sa created means?

I have this problem too.
0 votes
Correct Answer by Ajit Singh about 9 years 7 months ago

Hi,

Have you changed anything on the Pix, once the crypto map was apllied to it? If yes, remove the crypto map, clear all SA's and then re-apply the map.

The behaviour mentioned do occur if we change the VPN configuration without removing the cry map.

NOTE: Pix is sometimes inconsistent in case of "deny" statement in ACL defining interesting taffic or if it defines ports. The ACL should permit entire IP pool and should not have any deny statement.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Ajit Singh Fri, 02/23/2007 - 09:05

Hi,

Have you changed anything on the Pix, once the crypto map was apllied to it? If yes, remove the crypto map, clear all SA's and then re-apply the map.

The behaviour mentioned do occur if we change the VPN configuration without removing the cry map.

NOTE: Pix is sometimes inconsistent in case of "deny" statement in ACL defining interesting taffic or if it defines ports. The ACL should permit entire IP pool and should not have any deny statement.

ggilbert Fri, 02/23/2007 - 09:22

Hi -

I would certainly see if you can execute what "ajisingh" suggested -

Also, out of curiosity, can you let me know what is the version of code you are running on the PIX?

Thanks

Gilbert

Kamal Malhotra Fri, 02/23/2007 - 09:31

Hi,

Please reboot the PIX and if still does not make a difference then send me the running configuration.

HTH,

Regards,

Kamal

rmeans Fri, 02/23/2007 - 11:31

Similar to other the suggestions, I also found other with similar troubles. A reboot was suggested. I have a failover pair so rebooting isn't a big deal. I rebooted the standby unit then switched it to active. As for removing then replying the crypto map. Prior to reboot success, I did try removing the crypto map configuration specific to this connection. Removing and reapplying did not solve the issue.

Actions

This Discussion