05-07-2008 10:11 AM
Hi, running a PIX515E hub (6.3(1)) with ASA 5505 spokes (7.2(3)). I'm attaching the configs. I've been using http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_configuration_example09186a0080093bd3.shtml
to configure the hub for the second spoke (the first spoke is up and working). I thought I could just replicate what i'm doing on spoke 1 and add the Lan address to the existing NoNat ACL and add a new one for the new cryptomap, but when i try to initiate it from the hub side I get "IPSEC(sa_initiate): ACL = deny; no sa created" yet when i do a Sho ACL for 102 and NoNAT they have hits (yes they increment when i attempt to connect).
ideas?
Solved! Go to Solution.
05-08-2008 02:13 PM
I did see that - and could you try:-
clear xlate
at the command line please?
and if possible - a reload on the pix?
05-07-2008 01:31 PM
The config's look OK - you say the no-nat and the crypto acl's are being hit, do you see packets encap/decap - encryp/decryp when you input the command:-
show crypto ipsec sa peer 216.124.91.221
from the hub pix?
05-08-2008 07:12 AM
Herein lies my problem. If I do a sho crypto ipsec sa command (my version doesn't understand the peer option). All i see is spoke1 there is no SA for spoke2. Hence the message "IPSEC(sa_initiate): ACL = deny; no sa created".
05-08-2008 07:36 AM
OK
Looking at your config again (closer this time) I see:-
static (outside,inside) 10.11.16.0 10.11.16.0 netmask 255.255.255.0 0 0
You should not need this - as you have defined a no-nat, remove the above and test again please?
05-08-2008 01:27 PM
Yeah, this doesn't change anything unfortunately. As you can see on the Hub, it's also there for Spoke1 and i have no problems with it.
05-08-2008 02:13 PM
I did see that - and could you try:-
clear xlate
at the command line please?
and if possible - a reload on the pix?
05-09-2008 09:16 AM
I tried a simple reload of the Hub last night and that seems to have made it happy. Thanks for your help :)
05-09-2008 01:57 PM
Sadly - sometimes a reload fixes all!
Good to know your issue is resolved.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: