No SPI to identify Phase 2 SA in ASA 5500

Unanswered Question
Dec 29th, 2009

Hi, I have two ASA in US (inside network and India. I am controlling US. I have created IPSEC peer-2-peer IPSEC tunnel.

On US side, I have allowed as source of interesting traffic in Cryptomap ACL. On India side, tech has opened as interesting traffic in Cryptomap ACL.

Now I am on US side having subnet and trying to send data towards india, but Tunnel is no UP.

I am seeing error on US ASA "No SPI to identify Phase 2 SA"., please help.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Giuseppe Larosa Tue, 12/29/2009 - 09:15

Hello Rupesh,

the extended ACLs have to be one the mirror of the other one

example (with IOS router syntax )

access-list 101 permit ip


access-list 102 permit ip

on the other side

using any keyword is not recommended

Hope to help



This Discussion