02-23-2007 07:58 AM
I am building an IPSec connection between a PIX and concentrator. I receive the following debug message (ACL = deny; no sa created) when traffic initiates from behind the PIX. When traffic initiates from behind the concentrator the tunnel comes up and data passes (from either side) without any errors. The PIX has two acls that associated with the tunnel. The first acl defines NAT and the second defines what is to be encryptted. When initiating traffic from the PIX side, both acls show hits. But captured traffic indicates the PIX does not try to communicate with the concentrator. Any ideas on what ACL = deny; no sa created means?
Solved! Go to Solution.
02-23-2007 09:05 AM
Hi,
Have you changed anything on the Pix, once the crypto map was apllied to it? If yes, remove the crypto map, clear all SA's and then re-apply the map.
The behaviour mentioned do occur if we change the VPN configuration without removing the cry map.
NOTE: Pix is sometimes inconsistent in case of "deny" statement in ACL defining interesting taffic or if it defines ports. The ACL should permit entire IP pool and should not have any deny statement.
02-23-2007 09:05 AM
Hi,
Have you changed anything on the Pix, once the crypto map was apllied to it? If yes, remove the crypto map, clear all SA's and then re-apply the map.
The behaviour mentioned do occur if we change the VPN configuration without removing the cry map.
NOTE: Pix is sometimes inconsistent in case of "deny" statement in ACL defining interesting taffic or if it defines ports. The ACL should permit entire IP pool and should not have any deny statement.
02-23-2007 09:22 AM
Hi -
I would certainly see if you can execute what "ajisingh" suggested -
Also, out of curiosity, can you let me know what is the version of code you are running on the PIX?
Thanks
Gilbert
02-23-2007 09:31 AM
Hi,
Please reboot the PIX and if still does not make a difference then send me the running configuration.
HTH,
Regards,
Kamal
02-23-2007 11:31 AM
Similar to other the suggestions, I also found other with similar troubles. A reboot was suggested. I have a failover pair so rebooting isn't a big deal. I rebooted the standby unit then switched it to active. As for removing then replying the crypto map. Prior to reboot success, I did try removing the crypto map configuration specific to this connection. Removing and reapplying did not solve the issue.
02-23-2007 11:34 AM
I forgot to mention. The PIX OS is 6.3.5.101
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide