IPSEC VPN Tunnle Problem in CISCO ASA

Unanswered Question
Nov 18th, 2008
User Badges:


We have created IPSEC VPN tunnel between two Cisco ASA 5510 firewall. After establishing the VPN tunnel, when we are generating the traffic in that tunnel, it is showing up and active but we are unbale to "PING" or access our local LAN segments. I am getting the following syslog error...

1 Nov 10 2008 16:21:22 713900 Group = XX.XX.XX.XX, IP = XX.XX.XX.XX, construct_ipsec_delete(): No SPI to identify Phase 2 SA!

Please note the IOS version of one firewall is Cisco ASA 8.0(4)for another one is Cisco ASA 7.0(7)

Please help me by providing the neccessary solution to overcome this problem.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)

it sounds like you have not passed phase 2 of the VPN negotiations.

I would do the folllowing:-

1) Check you have the same encryption and hash configuration for phase 2 at both ends.

2) Check that you encryption domains (interesting traffic access-list) allows the same subnets at both ends.

Post the output of:-

debug crypto ipsec 20


sarkar.sandip Wed, 11/19/2008 - 04:04
User Badges:


Thanks for your reply. As per your suggestion..I have checked the 2 points as you have mentioned.

Please find the attach file containing the site to site VPN configuration for both end firewall. Please suggest ...

Thanks in advanced..

Please find the output of sh crypto ipsec sa

IVOXFIRE# sh crypto ipsec sa

interface: outside

Crypto map tag: IPSecMap, seq num: 40, local addr: xx.xx.xx.xx

access-list 120 permit ip

local ident (addr/mask/prot/port): (

remote ident (addr/mask/prot/port): (

current_peer: xx.xx.xx.xx

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: xx.xx.xx.xx, remote crypto endpt.: xx.xx.xx.xx

path mtu 1500, ipsec overhead 74, media mtu 1500

current outbound spi: 8995D15D

inbound esp sas:

spi: 0x67FA295B (1744447835)

transform: esp-aes esp-md5-hmac none

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 74, crypto-map: IPSecMap

sa timing: remaining key lifetime (kB/sec): (4275000/27122)

IV size: 16 bytes

replay detection support: Y

outbound esp sas:

spi: 0x8995D15D (2308297053)

transform: esp-aes esp-md5-hmac none

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 74, crypto-map: IPSecMap

sa timing: remaining key lifetime (kB/sec): (4275000/27114)

IV size: 16 bytes

replay detection support: Y

OK - your config looks good, the crypto ipsec sa's look good apart from one thing:-

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

Firstly this indicates that nothing from (local) is going to (remote) - worring

Does your local network know where is and how to get there?

Do you have any filtering on the inside interface that would block traffic from to ??

Can you post the config's with any sensitive config removed?


OK here are my observations:-

1) Your acl "acl_inside" your first line is permit ip any any - which negates ALL other lines in the acl, as you are already allowing everything.

2) Your acl ""acl-inside" only alows ICMP ech0-reply.....so you cannot actually ping out - add the following line:-

access-list acl_inside line 4 extended permit icmp any any echo

3) I always like to add specific routes for my VPN's try adding:-

route outside <>

re-test and show the output of "show access-list acl_inside"


sarkar.sandip Wed, 11/19/2008 - 05:53
User Badges:


I have tried the same and added the required commands in the firewall as you have mentioned. But still unable to PING the remote location LAN segments( from (

Please help.

OK thanks for the output, what I see is:-

access-list acl_inside line 1 extended permit ip any any (hitcnt=3442000)

You can remove ALL other lines, as I said before they are useless.

access-list 120 line 1 extended permit ip (hitcnt=321743)

This indicates that traffic is hitting the ACL for the VPN, but traffic is not shown in the IPSEC SA.

I would clear the access-list counters, and clear down the VPN and try to initiate it again.


sarkar.sandip Thu, 11/20/2008 - 01:54
User Badges:


I have cleared the access-list counters as well as SA's by the following commands..

Firewall#clear access-list 120 counters

Firewall#clear crypto ipsec sa

Firewall#clear crypto isakmp sa

But still unable to PING the remote LAN segment..

From the outputs, I would say you have an issue in the local end, as you have decrypted traffic, but not sent any. The remote end has initiated the tunnel and sent traffic, which has been received but not responded to.

Check your IP routes, check your ACl's (again) debug debug debug.


sarkar.sandip Fri, 11/21/2008 - 01:29
User Badges:


I have reconfigured the Phase 2 for IPSEC VPN tunnel at local end and now it is working fine. We are able to PING both location LAN segments properly.

Thanks to you for your help and support.


This Discussion