Hub and Spoke with only 1 spoke working?

Answered Question
May 7th, 2008
User Badges:

Hi, running a PIX515E hub (6.3(1)) with ASA 5505 spokes (7.2(3)). I'm attaching the configs. I've been using

to configure the hub for the second spoke (the first spoke is up and working). I thought I could just replicate what i'm doing on spoke 1 and add the Lan address to the existing NoNat ACL and add a new one for the new cryptomap, but when i try to initiate it from the hub side I get "IPSEC(sa_initiate): ACL = deny; no sa created" yet when i do a Sho ACL for 102 and NoNAT they have hits (yes they increment when i attempt to connect).


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
thanmad Thu, 05/08/2008 - 07:12
User Badges:

Herein lies my problem. If I do a sho crypto ipsec sa command (my version doesn't understand the peer option). All i see is spoke1 there is no SA for spoke2. Hence the message "IPSEC(sa_initiate): ACL = deny; no sa created".

thanmad Thu, 05/08/2008 - 13:27
User Badges:

Yeah, this doesn't change anything unfortunately. As you can see on the Hub, it's also there for Spoke1 and i have no problems with it.

thanmad Fri, 05/09/2008 - 09:16
User Badges:

I tried a simple reload of the Hub last night and that seems to have made it happy. Thanks for your help :)


This Discussion