Site to Site VPN

Unanswered Question
Mar 15th, 2010
User Badges:

Dear all,

i configured site to site VPN bettween my company head office PIX 515E and my company branch ASA 5510, it was working properly, but, suddenly it didn't work any more.

i typed

debug crypto isakmp 7

on each firewall side and outputs are attached, so, if any body can help me why they stopped working.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
slmansfield Mon, 03/15/2010 - 10:59
User Badges:
  • Silver, 250 points or more

It looks like you have a mismatch in IPSEC configuration parameters.  It would be helpful if you could provide sanitized configurations of your two VPN endpoints.


Mar 15 02:26:31 [IKEv1]: Group =, IP =, Received non-routine Notify message: No proposal chosen (14)


Mar 15 12:59:53 [IKEv1]: Group =, IP =, Received non-routine Notify message: No proposal chosen (14)

slmansfield Tue, 03/16/2010 - 06:09
User Badges:
  • Silver, 250 points or more

The information you provided looks correct.  Is it possible that the VPN tunnel is being initiated in the opposite direction than it has when it was working?  If not, could you try initiating the tunnel from the opposite side?  If that doesn't work, could you try running a higher level debug on the ASA to see if it provides any more details (e.g., level 25)?

slmansfield Tue, 03/16/2010 - 07:56
User Badges:
  • Silver, 250 points or more

Looks like the debugs were flipped around.  The 41 address is the ASA and the 196 address is the PIX?

Could you just try setting the crypto isakmp identity to IP address on both devices, just in case there is some difference in the way the ASA is negotiating with the PIX?

Ahmed Yassin Tue, 03/16/2010 - 08:07
User Badges:

I typed crypto isakmp identity address on both devices,

but, the same it is not working

slmansfield Tue, 03/16/2010 - 10:22
User Badges:
  • Silver, 250 points or more

Can you try removing PFS on both sides?

Ahmed Yassin Wed, 03/17/2010 - 01:43
User Badges:

Sorry, it is finally solved.

The problem was a conflict bettween EASY VPN configuration and SIT 2 SITE VPN as both was using isakmp policy with same number and i change EASY VPN policy number and all is working well now.

Thanks a lot for your cooperation

slmansfield Wed, 03/17/2010 - 05:52
User Badges:
  • Silver, 250 points or more

Thanks for posting the resolution.  I searched the web for others having the same problem whose phase 2 stuff looked fine, as yours did.  I saw that there was a bug with PFS and multiple transform sets, which I thought could possibly apply to your setup.

I'll keep this resolution in my cache of how to solve phase 2 problems.


This Discussion