Hub and Spoke with only 1 spoke working?

Answered Question
May 7th, 2008

Hi, running a PIX515E hub (6.3(1)) with ASA 5505 spokes (7.2(3)). I'm attaching the configs. I've been using http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_configuration_example09186a0080093bd3.shtml

to configure the hub for the second spoke (the first spoke is up and working). I thought I could just replicate what i'm doing on spoke 1 and add the Lan address to the existing NoNat ACL and add a new one for the new cryptomap, but when i try to initiate it from the hub side I get "IPSEC(sa_initiate): ACL = deny; no sa created" yet when i do a Sho ACL for 102 and NoNAT they have hits (yes they increment when i attempt to connect).

ideas?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
thanmad Thu, 05/08/2008 - 07:12

Herein lies my problem. If I do a sho crypto ipsec sa command (my version doesn't understand the peer option). All i see is spoke1 there is no SA for spoke2. Hence the message "IPSEC(sa_initiate): ACL = deny; no sa created".

thanmad Thu, 05/08/2008 - 13:27

Yeah, this doesn't change anything unfortunately. As you can see on the Hub, it's also there for Spoke1 and i have no problems with it.

Actions

This Discussion