No SPI to identify Phase 2 SA in ASA 5500

Rupesh Kashyap · ‎12-29-2009

Hi, I have two ASA in US (inside network 10.0.0.0/24) and India. I am controlling US. I have created IPSEC peer-2-peer IPSEC tunnel.

On US side, I have allowed 10.0.0.0/24 as source of interesting traffic in Cryptomap ACL. On India side, tech has opened 10.80.0.0/26 as interesting traffic in Cryptomap ACL.

Now I am on US side having subnet 10.80.0.0 and trying to send data towards india, but Tunnel is no UP.

I am seeing error on US ASA "No SPI to identify Phase 2 SA"., please help.

Regards,

Rupesh

hdashnau · ‎12-29-2009

The "No SPI to identify Phase 2 SA" could occur for a number of different reasons.

Basic checks:

-make sure the crypto ACLs are exact mirror images of one another. be mindful of the subnet masks when youre checking also

-make sure the transform sets match on both sides

-PFS needs to be either disabled on both sides or enabled on both sides. You cannot have it enabled on one side and not the other

-make sure you have nat exemption for the vpn traffic - nat (inside) 0 access-list

To get more information about why its failing, run "debug cry isa 127" and "debug cry ipsec 127"