Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1245
Views
0
Helpful
5
Replies

ACL = deny; no sa created

Go to solution
rmeans
Level 3
Level 3

‎02-23-2007 07:58 AM

I am building an IPSec connection between a PIX and concentrator. I receive the following debug message (ACL = deny; no sa created) when traffic initiates from behind the PIX. When traffic initiates from behind the concentrator the tunnel comes up and data passes (from either side) without any errors. The PIX has two acls that associated with the tunnel. The first acl defines NAT and the second defines what is to be encryptted. When initiating traffic from the PIX side, both acls show hits. But captured traffic indicates the PIX does not try to communicate with the concentrator. Any ideas on what ACL = deny; no sa created means?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Ajit Singh
Level 1
Level 1

‎02-23-2007 09:05 AM

Hi,

Have you changed anything on the Pix, once the crypto map was apllied to it? If yes, remove the crypto map, clear all SA's and then re-apply the map.

The behaviour mentioned do occur if we change the VPN configuration without removing the cry map.

NOTE: Pix is sometimes inconsistent in case of "deny" statement in ACL defining interesting taffic or if it defines ports. The ACL should permit entire IP pool and should not have any deny statement.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Ajit Singh
Level 1
Level 1

‎02-23-2007 09:05 AM

Hi,

Have you changed anything on the Pix, once the crypto map was apllied to it? If yes, remove the crypto map, clear all SA's and then re-apply the map.

The behaviour mentioned do occur if we change the VPN configuration without removing the cry map.

NOTE: Pix is sometimes inconsistent in case of "deny" statement in ACL defining interesting taffic or if it defines ports. The ACL should permit entire IP pool and should not have any deny statement.

0 Helpful

Go to solution
ggilbert
Cisco Employee
Cisco Employee
In response to Ajit Singh

‎02-23-2007 09:22 AM

Hi -

I would certainly see if you can execute what "ajisingh" suggested -

Also, out of curiosity, can you let me know what is the version of code you are running on the PIX?

Thanks

Gilbert

0 Helpful

Go to solution
Kamal Malhotra
Cisco Employee
Cisco Employee

‎02-23-2007 09:31 AM

Hi,

Please reboot the PIX and if still does not make a difference then send me the running configuration.

HTH,

Regards,

Kamal

0 Helpful

Go to solution
rmeans
Level 3
Level 3

‎02-23-2007 11:31 AM

Similar to other the suggestions, I also found other with similar troubles. A reboot was suggested. I have a failover pair so rebooting isn't a big deal. I rebooted the standby unit then switched it to active. As for removing then replying the crypto map. Prior to reboot success, I did try removing the crypto map configuration specific to this connection. Removing and reapplying did not solve the issue.

0 Helpful

Go to solution
rmeans
Level 3
Level 3

‎02-23-2007 11:34 AM

I forgot to mention. The PIX OS is 6.3.5.101

0 Helpful
Customers Also Viewed These Support Documents