Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

No SPI to identify Phase 2 SA in ASA 5500

Hi, I have two ASA in US (inside network and India. I am controlling US. I have created IPSEC peer-2-peer IPSEC tunnel.

On US side, I have allowed as source of interesting traffic in Cryptomap ACL. On India side, tech has opened as interesting traffic in Cryptomap ACL.

Now I am on US side having subnet and trying to send data towards india, but Tunnel is no UP.

I am seeing error on US ASA "No SPI to identify Phase 2 SA"., please help.



Cisco Employee

Re: No SPI to identify Phase 2 SA in ASA 5500

The "No SPI to identify Phase 2 SA" could occur for a number of different reasons.

Basic checks:

-make sure the crypto ACLs are exact mirror images of one another. be mindful of the subnet masks when youre checking also

-make sure the transform sets match on both sides

-PFS needs to be either disabled on both sides or enabled on both sides. You cannot have it enabled on one side and not the other

-make sure you have nat exemption for the vpn traffic - nat (inside) 0 access-list

To get more information about why its failing, run "debug cry isa 127" and "debug cry ipsec 127"