CISCO 871 as Server to ASA 5505 as client OR assist with site-to-site

Unanswered Question
Jun 30th, 2009

Hi,

Is there a configuration document available to assist in configuring a CISCO 871 as EasyVPN Server with an ASA 5505 as Client?

I have found a document with the connection the other way round (ASA as server and 871 as client) here: http://www.cisco.com/application/pdf/paws/68815/ezvpn-asa-svr-871-rem.pdf but it's not what I want.

Alternatively I've setup a site-to-site VPN between the two devices but keep getting "%CRYPTO-4-IKMP_NO_SA: IKE message from x.x.x.x has no SA and is not an initialization offer", so it doesn't complete phase II.

I've reloaded both devices and cleared all old SA's with no luck.

Thanks,

Mario

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mariov652 Wed, 07/01/2009 - 05:46

I've been comparing the 871 config with that on a current PIX 501 that allows the site-to-site to come up with no problem.

On the 871, I've also tried connecting to a second VPN site (also working from the 501) with the same resulting error messages.

This does lead to something missing or incorrect on the 871.

On both with the 501 and the 871, I used the SDM GUI to create the site-to-site to the two locations. Is there a 'bug' or known issue with the GUI for the 871 that causes confi to be missing?

I've compared my config (attached here with private info removed), but haven't been able to to spot the problem yet.

I would think the VPN should be easier to setup on the 871 as it's a newer model with updated software compared to the 501.

Mario

Attachment: 
mariov652 Wed, 07/01/2009 - 07:26

No, the PIX is DHCP too on the same line.

The 871 is planned to replace the PIX, so I simply unplug the WAN connection from the PIX, plug it into the 871 and reload / no shut the WAN interface on the 871 to obtain the DHCP address - DHCP address is the same each time so far.

I know the configs are slightly different between the two in terms of syntax etc., but it doesn't make sense the SDM on the 871 doesn't work properly - thi sis also with a 'clean' config i.e. write erase the 871 and start with only internet access (nat), then apply the site-to-site wizard.

mariov652 Thu, 07/23/2009 - 05:37

Just in case someone reads this post later on and wants to know if it was solved...

This was eventually solved by resetting the 871 config clean and configuring the device step-by-step via the command-line.

Not sure why the SDM 2.5 interface caused problems though.

Cheers

Actions

This Discussion