VPN does not start from PIX to ASA

Unanswered Question
Jan 19th, 2009

ASA-7.2.4, PIX 6.3.5

VPN tunnel will come up if you ping a device on the PIX side from ASA side. If you start ping a device from PIX to ASA , Tunnel will not come up. Any idea?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Ivan Martinon Mon, 01/19/2009 - 12:18

Have you check that both configs are in sync? What are the debug outputs that you get on both endpoints? Can you upload both configs here?

rjain Tue, 01/20/2009 - 07:27

Here are the config.

Tunnel will come up if you start from ASA right away . but once tunnel is down and try to bring from PIX side, it will not come up.

I created another tunnel from pix to same ASA , we have the same issue. Looks like the issue is with ASA.

I get the following acl deny errors

IPSEC(sa_initiate): ACL = deny; no sa created

192.168.21.11 NO response received -- 1000ms

IPSEC(sa_initiate): ACL = deny; no sa created

192.168.21.11 NO response received -- 1000ms

IPSEC(sa_initiate): ACL = deny; no sa created

192.168.21.11 NO response received -- 1000ms

Attachment: 
Ivan Martinon Tue, 01/20/2009 - 07:59

Thanks, config looks good, now on regards to your message, that is the reason why this tunnel is not started, those errors are seen on the pix correct? this is what you need to do: Go ahead and remove the crypto map from the PIX outside interface, recreate your access list FOCUSColo with another name but with the same syntax, apply that access list to the match address statement of tunnel BTECHMAP 21 and reapply the crypto map, see if you can try to create the tunnel from the pix this time.

If these errors are seen on the ASA do the same thing on ASA accordingly.

rjain Tue, 01/20/2009 - 08:08

thanks for the reply. it worked as you mentioned.

thanks a lot for the help

kampmalm2 Fri, 02/26/2010 - 03:45

Hi.

Thanks a lot for this info. It solved our problem with exact the same symptoms.

What has happened in the PIX when this happens?

Regards

Paul

Ivan Martinon Fri, 02/26/2010 - 08:22

Hi Paul,

What tipycally happens is that the SA gets corrupted, and it usually happens because the configuration is constantly changed without removing the crypto map from the interface.

Actions

This Discussion