Cisco Support Community
Community Member

Trouble establishing dynamic tunnel from ASA 5505 to Cisco 1921

I'm trying to set up a site-to-site VPN tunnel between an ASA 5505 (which gets it's WAN IP via DHCP), and a Cisco 1921 (which has a static WAN IP).

So since the ASA gets its IP dynamically, I'm trying to create a dynamic tunnel.


ASA 5505 config:
Cisco 1921 config:


Cisco 1921 Inside Subnet:
ASA 5505 Inside Subnet:


I added the following to the Cisco 1921:

crypto dynamic-map KAM_TUNNEL_DYN_MAP 1
 set transform-set ESP-3DES-SHA
crypto map SDM_CMAP_1 9 ipsec-isakmp dynamic KAM_TUNNEL_DYN_MAP


I added the following to the ASA 5505:

access-list 100 extended permit ip
access-list NONAT extended permit ip
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map PG_TUNNEL_MAP 10 match address 100
crypto map PG_TUNNEL_MAP 10 set peer <ip_3eb62ab9db>
crypto map PG_TUNNEL_MAP 10 set transform-set ESP-3DES-SHA
crypto map PG_TUNNEL_MAP interface outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400


I try to bring up the tunnel from the ASA by generating interesting traffic with the command packet-tracer input inside tcp 80 80, which according to this, is a valid way to bring up a tunnel.

However, the tunnel does not come up; It does not appear in the show crypto isakmp sa output.

With debug crypto isakmp 127 and debug crypto ipsec 127 both active, the following output surrounds the above packet-tracer command:

As you can see, no phase 1 or 2, nor even anything VPN related comes up.


Why is this tunnel not establishing, or even trying to?

Everyone's tags (1)

There's an error I spot on

There's an error I spot on your output that might be causing the issue. 

%ASA-2-106016: Deny IP spoof from ( to on interface inside

Here is the explanation from Cisco about that error message:

This message is generated when a packet arrives at the security appliance interface that has a destination IP address of and a destination MAC address of the security appliance interface. In addition, this message is generated when the security appliance discarded a packet with an invalid source address, which can include one of the following or some other invalid address:

  • Loopback network (

  • Broadcast (limited, net-directed, subnet-directed, and all-subnets-directed)

  • The destination host (land.c)

In order to further enhance spoof packet detection, use the icmp command to configure the security appliance to discard packets with source addresses belonging to the internal network. This is because the access-list command has been deprecated and is no longer guaranteed to work correctly.

Recommended Action: Determine if an external user is trying to compromise the protected network. Check for misconfigured clients.


I didn't check your configs but looking at the output from the packet-tracer it seems that the packet is being dropped by ACL. This is why your tunnel is not going up, because the trafic doesn't even reach the remote end. Try rechecking your ACLs including crypto ACL.

Community Member

Have checked the ACLs and

Have checked the ACLs and they seem pretty straight forward. I see nothing wrong, do you?

! ASA 5505:
access-list 100 extended permit ip
access-list NONAT extended permit ip

Community Member

There was a few things I

There was a few things I forgot. Here's the fix, added to the Cisco 1921:

! Key needed
crypto isakmp key <my_key> address no-xauth

! So that traffic knows how to get to remote site
ip route <ip_of_next_hop_outside>

! NAT Exemption...made sure to add it adbove the bottom 'permit' entry.
access-list 130 deny   ip

Issue is resolved.

CreatePlease to create content