Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1521
Views
5
Helpful
7
Replies

VPN does not start from PIX to ASA

rjain
Level 1
Level 1

‎01-19-2009 11:04 AM

ASA-7.2.4, PIX 6.3.5

VPN tunnel will come up if you ping a device on the PIX side from ASA side. If you start ping a device from PIX to ASA , Tunnel will not come up. Any idea?

Labels:
0 Helpful
7 Replies 7

Ivan Martinon
Level 7
Level 7

‎01-19-2009 12:18 PM

Have you check that both configs are in sync? What are the debug outputs that you get on both endpoints? Can you upload both configs here?

0 Helpful

rjain
Level 1
Level 1
In response to Ivan Martinon

‎01-20-2009 07:27 AM

Here are the config.

Tunnel will come up if you start from ASA right away . but once tunnel is down and try to bring from PIX side, it will not come up.

I created another tunnel from pix to same ASA , we have the same issue. Looks like the issue is with ASA.

I get the following acl deny errors

IPSEC(sa_initiate): ACL = deny; no sa created

192.168.21.11 NO response received -- 1000ms

IPSEC(sa_initiate): ACL = deny; no sa created

192.168.21.11 NO response received -- 1000ms

IPSEC(sa_initiate): ACL = deny; no sa created

192.168.21.11 NO response received -- 1000ms

Preview file
5 KB
0 Helpful

Ivan Martinon
Level 7
Level 7
In response to rjain

‎01-20-2009 07:59 AM

Thanks, config looks good, now on regards to your message, that is the reason why this tunnel is not started, those errors are seen on the pix correct? this is what you need to do: Go ahead and remove the crypto map from the PIX outside interface, recreate your access list FOCUSColo with another name but with the same syntax, apply that access list to the match address statement of tunnel BTECHMAP 21 and reapply the crypto map, see if you can try to create the tunnel from the pix this time.

If these errors are seen on the ASA do the same thing on ASA accordingly.

rjain
Level 1
Level 1
In response to Ivan Martinon

‎01-20-2009 08:08 AM

thanks for the reply. it worked as you mentioned.

thanks a lot for the help

0 Helpful

Ivan Martinon
Level 7
Level 7
In response to rjain

‎01-20-2009 10:29 AM

awsome!

0 Helpful

kampmalm2
Level 1
Level 1
In response to Ivan Martinon

‎02-26-2010 03:45 AM

Hi.

Thanks a lot for this info. It solved our problem with exact the same symptoms.

What has happened in the PIX when this happens?

Regards

Paul

0 Helpful

Ivan Martinon
Level 7
Level 7
In response to kampmalm2

‎02-26-2010 08:22 AM

Hi Paul,

What tipycally happens is that the SA gets corrupted, and it usually happens because the configuration is constantly changed without removing the crypto map from the interface.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents