Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1684
Views
0
Helpful
1
Replies

No SPI to identify phase 2 SA!

thellco01
Level 1
Level 1

‎12-18-2008 12:43 PM

I am trying to set up site to site vpn between an asa 5510 and 5505. I ran startup wizard and VPN site to site wizard on both. When I try to ping the remote site it fails and no tunnle is brought up. The message in the log is

"NO SPI to Identify Phase 2 SA!"

Any ideas?

Labels:
0 Helpful
1 Reply 1

ajagadee
Cisco Employee
Cisco Employee

‎12-18-2008 01:35 PM

Hi,

This basically means that the ASA does not have an IPSEC SA built. Please refer the below URL and make sure that the configuration is correct on both the ASA's

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080950890.shtml

If you are still having issues, then post the configuration from the ASA along with Isakmp and IPSEC Debugs.

Regards,

Arul

*Pls rate all helpful posts*

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents