cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
336
Views
0
Helpful
4
Replies

PIX to PIX VPN - error log

b.meyers
Level 1
Level 1

I have created a VPN between our PIX and our clients PIX but receiving the following error when I try to activate tunnnel. I have verified the ACL's on both ends. Any Ideas??

ISADB: reaper checking SA 0x80da9618, conn_id = 0IPSEC(sa_initiate): ACL = deny;

no sa created

IPSEC(sa_initiate): ACL = deny; no sa created

IPSEC(sa_initiate): ACL = deny; no sa created

IPSEC(sa_initiate): ACL = deny; no sa created

2 Accepted Solutions

Accepted Solutions

gfullage
Cisco Employee
Cisco Employee

I've seen this a few times. Usually removing the crypto map from the interface and re-applying it resolves it, sometimes you have to remove both the crypto map and the "isakmp enable outside" and put them both back in.

This message is also sometimes to do with something wrong in the configuration, so re-check your ACL's and your transform sets, etc.

View solution in original post

ajagadee
Cisco Employee
Cisco Employee

Hi,

Couple of things to check:

1. When you tried to ping or send some traffic accross the VPN Tunnel to the new peer, does this traffic match the ACL for VPN traffic to the remote site.

2. If it matches, then make sure that there are no access-group on the pix that is blocking this traffic

3. Is it possible to re-enter the pre-shared keys on both the sides and also check to make sure that the isakmp and ipsec policies match.

4. What happens if you inititate the VPN Tunnel from the remote pix. Do you see any debugs on the local pix.

5. Make sure that there are no overlapping networks with the other peers.

6. The nat 0 ACL should include the traffic for this peer as well.

7. Can you remove the crypto map off the interface and do a "clear cry is sa" and " clear cry ipsec sa " and then reaplly the crypto map and see if your tunnel comes up.

Regads,

Arul

View solution in original post

4 Replies 4

gfullage
Cisco Employee
Cisco Employee

I've seen this a few times. Usually removing the crypto map from the interface and re-applying it resolves it, sometimes you have to remove both the crypto map and the "isakmp enable outside" and put them both back in.

This message is also sometimes to do with something wrong in the configuration, so re-check your ACL's and your transform sets, etc.

Thanks man!

I did a couple things like reapplied the ACL and the Crypto map. Thanks for the help!

Brian

ajagadee
Cisco Employee
Cisco Employee

Hi,

Couple of things to check:

1. When you tried to ping or send some traffic accross the VPN Tunnel to the new peer, does this traffic match the ACL for VPN traffic to the remote site.

2. If it matches, then make sure that there are no access-group on the pix that is blocking this traffic

3. Is it possible to re-enter the pre-shared keys on both the sides and also check to make sure that the isakmp and ipsec policies match.

4. What happens if you inititate the VPN Tunnel from the remote pix. Do you see any debugs on the local pix.

5. Make sure that there are no overlapping networks with the other peers.

6. The nat 0 ACL should include the traffic for this peer as well.

7. Can you remove the crypto map off the interface and do a "clear cry is sa" and " clear cry ipsec sa " and then reaplly the crypto map and see if your tunnel comes up.

Regads,

Arul

Thanks for the help. The issue was reslolved by removing and reapplying the ACL and crypto map.

Thanks for your Help!

Brian

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: