Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACL = deny; no sa created

I am building an IPSec connection between a PIX and concentrator. I receive the following debug message (ACL = deny; no sa created) when traffic initiates from behind the PIX. When traffic initiates from behind the concentrator the tunnel comes up and data passes (from either side) without any errors. The PIX has two acls that associated with the tunnel. The first acl defines NAT and the second defines what is to be encryptted. When initiating traffic from the PIX side, both acls show hits. But captured traffic indicates the PIX does not try to communicate with the concentrator. Any ideas on what ACL = deny; no sa created means?

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: ACL = deny; no sa created

Hi,

Have you changed anything on the Pix, once the crypto map was apllied to it? If yes, remove the crypto map, clear all SA's and then re-apply the map.

The behaviour mentioned do occur if we change the VPN configuration without removing the cry map.

NOTE: Pix is sometimes inconsistent in case of "deny" statement in ACL defining interesting taffic or if it defines ports. The ACL should permit entire IP pool and should not have any deny statement.

5 REPLIES
New Member

Re: ACL = deny; no sa created

Hi,

Have you changed anything on the Pix, once the crypto map was apllied to it? If yes, remove the crypto map, clear all SA's and then re-apply the map.

The behaviour mentioned do occur if we change the VPN configuration without removing the cry map.

NOTE: Pix is sometimes inconsistent in case of "deny" statement in ACL defining interesting taffic or if it defines ports. The ACL should permit entire IP pool and should not have any deny statement.

Cisco Employee

Re: ACL = deny; no sa created

Hi -

I would certainly see if you can execute what "ajisingh" suggested -

Also, out of curiosity, can you let me know what is the version of code you are running on the PIX?

Thanks

Gilbert

Cisco Employee

Re: ACL = deny; no sa created

Hi,

Please reboot the PIX and if still does not make a difference then send me the running configuration.

HTH,

Regards,

Kamal

New Member

Re: ACL = deny; no sa created

Similar to other the suggestions, I also found other with similar troubles. A reboot was suggested. I have a failover pair so rebooting isn't a big deal. I rebooted the standby unit then switched it to active. As for removing then replying the crypto map. Prior to reboot success, I did try removing the crypto map configuration specific to this connection. Removing and reapplying did not solve the issue.

New Member

Re: ACL = deny; no sa created

I forgot to mention. The PIX OS is 6.3.5.101

834
Views
0
Helpful
5
Replies
CreatePlease login to create content