No SPI to identify Phase 2 SA in ASA 5500

Unanswered Question
Dec 29th, 2009
User Badges:

Hi, I have two ASA in US (inside network and India. I am controlling US. I have created IPSEC peer-2-peer IPSEC tunnel.

On US side, I have allowed as source of interesting traffic in Cryptomap ACL. On India side, tech has opened as interesting traffic in Cryptomap ACL.

Now I am on US side having subnet and trying to send data towards india, but Tunnel is no UP.

I am seeing error on US ASA "No SPI to identify Phase 2 SA"., please help.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
hdashnau Tue, 12/29/2009 - 06:48
User Badges:
  • Cisco Employee,

The "No SPI to identify Phase 2 SA" could occur for a number of different reasons.

Basic checks:

-make sure the crypto ACLs are exact mirror images of one another. be mindful of the subnet masks when youre checking also

-make sure the transform sets match on both sides

-PFS needs to be either disabled on both sides or enabled on both sides. You cannot have it enabled on one side and not the other

-make sure you have nat exemption for the vpn traffic - nat (inside) 0 access-list

To get more information about why its failing, run "debug cry isa 127" and "debug cry ipsec 127"


This Discussion