Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

No SPI to identify Phase 2 SA in ASA 5500

Hi, I have two ASA in US (inside network 10.0.0.0/24) and India. I am controlling US. I have created IPSEC peer-2-peer IPSEC tunnel.

On US side, I have allowed 10.0.0.0/24 as source of interesting traffic in Cryptomap ACL. On India side, tech has opened 10.80.0.0/26 as interesting traffic in Cryptomap ACL.

Now I am on US side having subnet 10.80.0.0 and trying to send data towards india, but Tunnel is no UP.

I am seeing error on US ASA "No SPI to identify Phase 2 SA"., please help.

Regards,

Rupesh

1 REPLY
Hall of Fame Super Silver

Re: No SPI to identify Phase 2 SA in ASA 5500

Hello Rupesh,

the extended ACLs have to be one the mirror of the other one

example (with IOS router syntax )

access-list 101 permit ip 10.0.0.0 0.255.255.255 10.80.0.0 0.0.0.63

and

access-list 102 permit ip 10.80.0.0 0.0.0.63 10.0.0.0 0.255.255.255

on the other side

using any keyword is not recommended

Hope to help

Giuseppe

2587
Views
0
Helpful
1
Replies
CreatePlease to create content