No SPI to identify phase 2 SA!

Unanswered Question
Dec 18th, 2008

I am trying to set up site to site vpn between an asa 5510 and 5505. I ran startup wizard and VPN site to site wizard on both. When I try to ping the remote site it fails and no tunnle is brought up. The message in the log is

"NO SPI to Identify Phase 2 SA!"

Any ideas?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ajagadee Thu, 12/18/2008 - 13:35


This basically means that the ASA does not have an IPSEC SA built. Please refer the below URL and make sure that the configuration is correct on both the ASA's

If you are still having issues, then post the configuration from the ASA along with Isakmp and IPSEC Debugs.



*Pls rate all helpful posts*


This Discussion