Hi, I currently have a site to site vpn up and running and it's working fine. I'm trying to bring two more online and just can't get them working. I used the same config from the working one but I can't get the tunnel to come up. I've seen various errors while debugging isakmp and ipsec and they are at the end of my configs. Anybody have any ideas? Thanks
Main site - has vpn clients connecting too it and pt to pt vpn's to 3 endpoints
Cisco PIX Firewall Version 6.3(3)
** Main Site Config **
access-list client_vpn permit ip 10.10.0.0 255.255.0.0 192.168.0.0 255.255.255.0
access-list VPN_to_Site2 permit ip 10.10.0.0 255.255.0.0 192.168.0.0 255.255.255.0
Did you also copy/paste the pre-shared keys ? can you manually enter on both the sides and try ? Can you give us some more debug outputs ?? I hope you tried the ACL VPN_t-Site2 on your nat 0 statement before ? Are there any other ACL's on the inside interface ?
Yes I did try entering the pre-shared keys again , that was one of the first things I suspected. The debug only gives me
IPSEC(sa_initiate): ACL = deny; no sa created
As for ACL's, I do have the standard, inside acl for all outbound traffic. My nat 0 is for ACL client_vpn which handles both the point to point vpn's and the client. As you can see on the crypto statements the VPN_to_Main is the ACL that handles the 'interesting' traffic for that network to be encrypted.
Like I said, as it is now it's working with one site just fine and this new site I setup exactly the same, no go and I don't see why?
This is the official response on the error message from Cisco:-
"%PIX-3-302302: ACL = deny; no sa created
Explanation IPSec proxy mismatches. Proxy hosts for the negotiated SA correspond to a deny access-list command policy.
Action Check the access-list command statement in the configuration. Contact the administrator for the peer."
Having said that i have come across this quite a few times before when setting up VPN's. Always on the device initiating the tunnel. Sad to say that rebooting the device more often than not sorted the problem out. Yes it's not a very good solution but the Pix seems to get itself into a bit of mess sometimes.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :