It's 2AM! ASA5510 with routers and PIX as spokes sitll don't work

Unanswered Question
Apr 11th, 2007


It's already 2:00 AM here and I can't still make this to work.

We have an ASA5510 with static IP which will serve as the new VPN hub to 3 spoke sites that has PIX, 1841 and 2821 . ASA5510 L2L connection to PIX with static IP works well. But the ASA5510 L2L link to 1841 with dynamic IP (ADSL) and also, the ASA5510 L2L link to 2821 both don't work.

Links from PIX to ASA5510, 1841 and 2821 are all up.

I'm attaching the config of ASA5510 and the 1841 to start.

Grateful if someone can look at the configs and point me to the right configuration.

Thanks in advance.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
agcastle2000 Thu, 04/19/2007 - 07:11


Thanks for your reply.

The L2L links with both static IPs are up now but I can't make the L2L (dynamic to static) work. I already put the crypto dynamic at high sequence and I also added the line:

tunnel-group-map default-group DefaultL2LGroup

See my crypto. I don't know what parameters I still need to add.

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 6000 match address auh2dxb_acl

crypto dynamic-map outside_dyn_map 6000 set transform-set ESP-3DES-MD5

crypto dynamic-map outside_dyn_map 6000 set reverse-route

crypto map outside_map 10 match address auh2mct_acl

crypto map outside_map 10 set pfs

crypto map outside_map 10 set peer

crypto map outside_map 10 set transform-set ESP-3DES-MD5

crypto map outside_map 30 match address auh2kub_acl

crypto map outside_map 30 set pfs

crypto map outside_map 30 set peer

crypto map outside_map 30 set transform-set ESP-3DES-MD5

crypto map outside_map 6000 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 20



agcastle2000 Tue, 04/24/2007 - 08:50


Can someone shed a light what this debug error means and what I need to look at to resolve the issue?

Received encrypted packet with no matching SA, dropping



Richard Burts Tue, 04/24/2007 - 18:33


I did not notice this when it was first posted, and I admit that I have not looked closely at the configs that you posted, on the assumption that in the passing time you may have modified something. My guess about the debug message is that the timers may not match which results in one peer deleting the SA while the other peer is still using it. Can you check the timers and verify that they match? And if they do match perhaps you can post fresh copies of the configs?



agcastle2000 Wed, 04/25/2007 - 13:31


I'm attaching the configs of the ASA5510 (static serial), PIX (static serial), 1841 (dynamic ADSL) and 2821 (static SDSL). The PIX, 1841 and 2821 has to connect to ASA5510 which will become the new hub. At the moment, the PIX-ASA5510 is connected and stable. The 1841-ASA5510 is also up but intermittently I lost the connection. At this juncture, I can't make the 2821 establish a VPN link to ASA5510.

On the other hand, the PIX, considered as the old hub, has stable connections to ASA5510, 1841 and 2821.

I would be really really grateful if you could share your expertise and throw some help.

On the next post is the debug result of the ASA5510 and the config of the 2821.



CRISTIAN LACATUS Wed, 04/25/2007 - 03:47


Can you configure a L2L tunnel from a router using dynamic IP addresses (the 1841 in your example)? I was under the impression that site-to-site tunnels require devices with static IP addresses on both sides. Spokes with dynamic IP addresses can be connected using EasyVPN or DMVPN (between routers, not supported on ASA/PIX).



agcastle2000 Wed, 04/25/2007 - 13:16

Hi Cristian,

After days of trying, I managed to establish an L2L tunnel from the 1841 with ADSL modem infront to the ASA5510 but I must say that sometimes the tunnel disappears any time of the day. It could be something to do with my configuration either in 1841 or in ASA5510.




This Discussion