I am building an IPSec connection between a PIX and concentrator. I receive the following debug message (ACL = deny; no sa created) when traffic initiates from behind the PIX. When traffic initiates from behind the concentrator the tunnel comes up and data passes (from either side) without any errors. The PIX has two acls that associated with the tunnel. The first acl defines NAT and the second defines what is to be encryptted. When initiating traffic from the PIX side, both acls show hits. But captured traffic indicates the PIX does not try to communicate with the concentrator. Any ideas on what ACL = deny; no sa created means?
Have you changed anything on the Pix, once the crypto map was apllied to it? If yes, remove the crypto map, clear all SA's and then re-apply the map.
The behaviour mentioned do occur if we change the VPN configuration without removing the cry map.
NOTE: Pix is sometimes inconsistent in case of "deny" statement in ACL defining interesting taffic or if it defines ports. The ACL should permit entire IP pool and should not have any deny statement.