Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
458
Views
0
Helpful
7
Replies

Hub and Spoke with only 1 spoke working?

Go to solution
thanmad
Level 1
Level 1

‎05-07-2008 10:11 AM

Hi, running a PIX515E hub (6.3(1)) with ASA 5505 spokes (7.2(3)). I'm attaching the configs. I've been using http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_configuration_example09186a0080093bd3.shtml

to configure the hub for the second spoke (the first spoke is up and working). I thought I could just replicate what i'm doing on spoke 1 and add the Lan address to the existing NoNat ACL and add a new one for the new cryptomap, but when i try to initiate it from the hub side I get "IPSEC(sa_initiate): ACL = deny; no sa created" yet when i do a Sho ACL for 102 and NoNAT they have hits (yes they increment when i attempt to connect).

ideas?

Labels:
Preview file
5 KB
Preview file
5 KB
Preview file
5 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
andrew.prince
Level 10
Level 10
In response to thanmad

‎05-08-2008 02:13 PM

I did see that - and could you try:-

clear xlate

at the command line please?

and if possible - a reload on the pix?

View solution in original post

0 Helpful
7 Replies 7

Go to solution
andrew.prince
Level 10
Level 10

‎05-07-2008 01:31 PM

The config's look OK - you say the no-nat and the crypto acl's are being hit, do you see packets encap/decap - encryp/decryp when you input the command:-

show crypto ipsec sa peer 216.124.91.221

from the hub pix?

0 Helpful

Go to solution
thanmad
Level 1
Level 1
In response to andrew.prince

‎05-08-2008 07:12 AM

Herein lies my problem. If I do a sho crypto ipsec sa command (my version doesn't understand the peer option). All i see is spoke1 there is no SA for spoke2. Hence the message "IPSEC(sa_initiate): ACL = deny; no sa created".

0 Helpful

Go to solution
andrew.prince
Level 10
Level 10
In response to thanmad

‎05-08-2008 07:36 AM

OK

Looking at your config again (closer this time) I see:-

static (outside,inside) 10.11.16.0 10.11.16.0 netmask 255.255.255.0 0 0

You should not need this - as you have defined a no-nat, remove the above and test again please?

0 Helpful

Go to solution
thanmad
Level 1
Level 1
In response to andrew.prince

‎05-08-2008 01:27 PM

Yeah, this doesn't change anything unfortunately. As you can see on the Hub, it's also there for Spoke1 and i have no problems with it.

0 Helpful

Go to solution
andrew.prince
Level 10
Level 10
In response to thanmad

‎05-08-2008 02:13 PM

I did see that - and could you try:-

clear xlate

at the command line please?

and if possible - a reload on the pix?

0 Helpful

Go to solution
thanmad
Level 1
Level 1
In response to andrew.prince

‎05-09-2008 09:16 AM

I tried a simple reload of the Hub last night and that seems to have made it happy. Thanks for your help :)

0 Helpful

Go to solution
andrew.prince
Level 10
Level 10
In response to thanmad

‎05-09-2008 01:57 PM

Sadly - sometimes a reload fixes all!

Good to know your issue is resolved.

0 Helpful
Customers Also Viewed These Support Documents