Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

return status is IKMP_NO_ERRORIPSEC(sa_initiate): ACL = deny; no sa created

Hi,

I configured a PIX and a SOHO 91 to create a VPN tunnel. I could'nt get any traffic between Lans. I made a debug and i got this error message on the PIX.

The pix has four interfaces and I used to of them to make VPN connexions. On one interface, I use an other PIX connecting through Internet and it works.

Can you help me?

PS: The debug on the pix give this

ISAKMP (0): Creating IPSec SAs

inbound SA from 192.168.3.11 to 192.168.3.251 (proxy 172.16.0.0 to 192.168.2.0)

has spi 2701703431 and conn_id 1 and flags 4

lifetime of 3600 seconds

lifetime of 4608000 kilobytes

outbound SA from 192.168.3.251 to 192.168.3.11 (proxy 192.168.2.0 to 172.16.0.0)

has spi 2902385925 and conn_id 2 and flags 4

lifetime of 3600 seconds

lifetime of 4608000 kilobytesIPSEC(key_engine): got a queue event...

IPSEC(initialize_sas): ,

(key eng. msg.) dest= 192.168.3.251, src= 192.168.3.11,

dest_proxy= 192.168.2.0/255.255.255.0/0/0 (type=4),

src_proxy= 172.16.0.0/255.255.0.0/0/0 (type=4),

protocol= ESP, transform= esp-des esp-md5-hmac ,

lifedur= 3600s and 4608000kb,

spi= 0xa108b907(2701703431), conn_id= 1, keysize= 0, flags= 0x4

IPSEC(initialize_sas): ,

(key eng. msg.) src= 192.168.3.251, dest= 192.168.3.11,

src_proxy= 192.168.2.0/255.255.255.0/0/0 (type=4),

dest_proxy= 172.16.0.0/255.255.0.0/0/0 (type=4),

protocol= ESP, transform= esp-des esp-md5-hmac ,

lifedur= 3600s and 4608000kb,

spi= 0xacfee505(2902385925), conn_id= 2, keysize= 0, flags= 0x4

VPN Peer: IPSEC: Peer ip:192.168.3.11 Ref cnt incremented to:2 Total VPN Peers:1

VPN Peer: IPSEC: Peer ip:192.168.3.11 Ref cnt incremented to:3 Total VPN Peers:1

return status is IKMP_NO_ERRORIPSEC(sa_initiate): ACL = deny; no sa created

2 REPLIES
Bronze

Re: return status is IKMP_NO_ERRORIPSEC(sa_initiate): ACL = deny

Hi,

Make sure that your ACL's on both side mirror each other.

On one side..

access-list permit ip 192.168.2.0 255.255.255.0 172.16.50.0 255.255.255.0

The other side..

access-list permit ip 172.16.50.0 255.255.255.0 192.168.2.0 255.255.255.0

Hope that helps.

New Member

Re: return status is IKMP_NO_ERRORIPSEC(sa_initiate): ACL = deny

I get that same debug message.....my ACLs are mirrored to the dot.

There are no filters on that traffic. The bypass-NAT has been configured as needed.

Besides rebooting, I've tried everything.

Any other solutions perhaps?

Paras

178
Views
0
Helpful
2
Replies