VPN does not start from PIX to ASA

Unanswered Question
Jan 19th, 2009
User Badges:

ASA-7.2.4, PIX 6.3.5

VPN tunnel will come up if you ping a device on the PIX side from ASA side. If you start ping a device from PIX to ASA , Tunnel will not come up. Any idea?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Ivan Martinon Mon, 01/19/2009 - 12:18
User Badges:
  • Cisco Employee,

Have you check that both configs are in sync? What are the debug outputs that you get on both endpoints? Can you upload both configs here?

rjain Tue, 01/20/2009 - 07:27
User Badges:

Here are the config.

Tunnel will come up if you start from ASA right away . but once tunnel is down and try to bring from PIX side, it will not come up.

I created another tunnel from pix to same ASA , we have the same issue. Looks like the issue is with ASA.


I get the following acl deny errors

IPSEC(sa_initiate): ACL = deny; no sa created

192.168.21.11 NO response received -- 1000ms

IPSEC(sa_initiate): ACL = deny; no sa created

192.168.21.11 NO response received -- 1000ms

IPSEC(sa_initiate): ACL = deny; no sa created

192.168.21.11 NO response received -- 1000ms



Attachment: 
Ivan Martinon Tue, 01/20/2009 - 07:59
User Badges:
  • Cisco Employee,

Thanks, config looks good, now on regards to your message, that is the reason why this tunnel is not started, those errors are seen on the pix correct? this is what you need to do: Go ahead and remove the crypto map from the PIX outside interface, recreate your access list FOCUSColo with another name but with the same syntax, apply that access list to the match address statement of tunnel BTECHMAP 21 and reapply the crypto map, see if you can try to create the tunnel from the pix this time.


If these errors are seen on the ASA do the same thing on ASA accordingly.

rjain Tue, 01/20/2009 - 08:08
User Badges:

thanks for the reply. it worked as you mentioned.

thanks a lot for the help

kampmalm2 Fri, 02/26/2010 - 03:45
User Badges:

Hi.

Thanks a lot for this info. It solved our problem with exact the same symptoms.

What has happened in the PIX when this happens?


Regards

Paul

Ivan Martinon Fri, 02/26/2010 - 08:22
User Badges:
  • Cisco Employee,

Hi Paul,


What tipycally happens is that the SA gets corrupted, and it usually happens because the configuration is constantly changed without removing the crypto map from the interface.

Actions

This Discussion