Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Hub and Spoke with only 1 spoke working?

Hi, running a PIX515E hub (6.3(1)) with ASA 5505 spokes (7.2(3)). I'm attaching the configs. I've been using http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_configuration_example09186a0080093bd3.shtml

to configure the hub for the second spoke (the first spoke is up and working). I thought I could just replicate what i'm doing on spoke 1 and add the Lan address to the existing NoNat ACL and add a new one for the new cryptomap, but when i try to initiate it from the hub side I get "IPSEC(sa_initiate): ACL = deny; no sa created" yet when i do a Sho ACL for 102 and NoNAT they have hits (yes they increment when i attempt to connect).

ideas?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Hub and Spoke with only 1 spoke working?

I did see that - and could you try:-

clear xlate

at the command line please?

and if possible - a reload on the pix?

7 REPLIES

Re: Hub and Spoke with only 1 spoke working?

The config's look OK - you say the no-nat and the crypto acl's are being hit, do you see packets encap/decap - encryp/decryp when you input the command:-

show crypto ipsec sa peer 216.124.91.221

from the hub pix?

New Member

Re: Hub and Spoke with only 1 spoke working?

Herein lies my problem. If I do a sho crypto ipsec sa command (my version doesn't understand the peer option). All i see is spoke1 there is no SA for spoke2. Hence the message "IPSEC(sa_initiate): ACL = deny; no sa created".

Re: Hub and Spoke with only 1 spoke working?

OK

Looking at your config again (closer this time) I see:-

static (outside,inside) 10.11.16.0 10.11.16.0 netmask 255.255.255.0 0 0

You should not need this - as you have defined a no-nat, remove the above and test again please?

New Member

Re: Hub and Spoke with only 1 spoke working?

Yeah, this doesn't change anything unfortunately. As you can see on the Hub, it's also there for Spoke1 and i have no problems with it.

Re: Hub and Spoke with only 1 spoke working?

I did see that - and could you try:-

clear xlate

at the command line please?

and if possible - a reload on the pix?

New Member

Re: Hub and Spoke with only 1 spoke working?

I tried a simple reload of the Hub last night and that seems to have made it happy. Thanks for your help :)

Re: Hub and Spoke with only 1 spoke working?

Sadly - sometimes a reload fixes all!

Good to know your issue is resolved.

132
Views
0
Helpful
7
Replies
CreatePlease to create content