I have a strange problem when setting up an ipsec-tunnel between my ASA 5520 and a remote peer. The tunnel comes up fine and when I am initiating traffic from my side everything is working fine, I can log into SAP and worh in the system. But if I try to initiate traffic from the remote site, i.e. send a print from the remote system to a printer on my local site that does not work. The tunnel is already up and running, but it seem the the remote peer try to start a new tunnel. I really need help on this, the included attachment shows some of the debug-output from my ASA when the remote system initiate some traffic.
Aften a while the ASA logs something like "All SA are unacceptable"
I have been running the same config against the same peer for years without problems, but I cannot get it to work on the ASA.
I think that the fact that the tunnel comes up and that I can reach the remote system shows the transform-sets, PFS-values and other paramteres are correct?
Double check the crypto map match address statements (crypto ACLS). Make sure that there are no overlaps with other peers crypto acls, that youre not landing on the dynamic map entry in one direction, and also make sure for your peer that on both sides of the tunnel they have the exact same crypto acl mirrored (pay special attention to the subnet masks that you have defined as well)
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :