https://community.cisco.com/t5/network-security/asa-vpn-tunnel-phase-8-subtype-encrypt-drop/m-p/3997079#M4970 <P>yes, lovely</P> Wed, 11 Dec 2019 10:09:41 GMT Chewbakka1 2019-12-11T10:09:41Z https://community.cisco.com/t5/network-security/asa-vpn-tunnel-phase-8-subtype-encrypt-drop/m-p/3995964#M4965 <P>Hi,</P><P>I have set up a new VPN tunnel to a remote site, but the tunnel will not come up.</P><P>Running packet-tracer shows that the tunnel is failing with:</P><P>Phase: 8<BR />Type: VPN<BR />Subtype: encrypt<BR />Result: DROP<BR />Config:<BR />Additional Information:</P><P>Result:<BR />input-interface: inside<BR />input-status: up<BR />input-line-status: up<BR />output-interface: outside<BR />output-status: up<BR />output-line-status: up<BR />Action: drop</P><P>&nbsp;</P><P>I have checked that the access-lists(encryption domain) matches.</P><P>I have checked that the return traffic matches the same nat rule as for outgoing traffic.</P><P>&nbsp;</P><P>Any ideas what could be the cause for this?</P><P>I suspect this could be that the firewall does not have the source network directly connected, and that is why packet tracer cannot source the traffic correctly.</P> Fri, 21 Feb 2020 17:45:16 GMT https://community.cisco.com/t5/network-security/asa-vpn-tunnel-phase-8-subtype-encrypt-drop/m-p/3995964#M4965 Chewbakka1 2020-02-21T17:45:16Z https://community.cisco.com/t5/network-security/asa-vpn-tunnel-phase-8-subtype-encrypt-drop/m-p/3996102#M4966 <P>When the source subnet,subject to encryption is not directly connected, is it necessary to include the directly connected subnet in the access-list as well?</P> Mon, 09 Dec 2019 22:36:06 GMT https://community.cisco.com/t5/network-security/asa-vpn-tunnel-phase-8-subtype-encrypt-drop/m-p/3996102#M4966 Chewbakka1 2019-12-09T22:36:06Z https://community.cisco.com/t5/network-security/asa-vpn-tunnel-phase-8-subtype-encrypt-drop/m-p/3996107#M4967 <P>show your configuration otherwise its really hard to say what causing the issue.</P> Mon, 09 Dec 2019 22:42:23 GMT https://community.cisco.com/t5/network-security/asa-vpn-tunnel-phase-8-subtype-encrypt-drop/m-p/3996107#M4967 Sheraz.Salim 2019-12-09T22:42:23Z https://community.cisco.com/t5/network-security/asa-vpn-tunnel-phase-8-subtype-encrypt-drop/m-p/3996604#M4968 <P>Digging further into the logs i found this:</P><P>Local:0.0.0.0:0 Remote:0.0.0.0:0 Username:Unknown IKEv2 SA request rejected by CAC. Reason: IN-NEGOTIATION SA LIMIT REACHED</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 10 Dec 2019 16:05:29 GMT https://community.cisco.com/t5/network-security/asa-vpn-tunnel-phase-8-subtype-encrypt-drop/m-p/3996604#M4968 Chewbakka1 2019-12-10T16:05:29Z https://community.cisco.com/t5/network-security/asa-vpn-tunnel-phase-8-subtype-encrypt-drop/m-p/3996676#M4969 <P>You may have found this already, but it seems like you're hitting this bug:</P><P>&nbsp;</P><DIV class="bugTitle">ASA IKEv2:L2L tunnel failing with IN-NEGOTIATION SA LIMIT REACHED</DIV><DIV class="bugId">CSCug95008</DIV><DIV class="bugId">&nbsp;</DIV><DIV class="bugId"><A href="https://bst.cloudapps.cisco.com/bugsearch/bug/CSCug95008" target="_blank">https://bst.cloudapps.cisco.com/bugsearch/bug/CSCug95008</A></DIV> Tue, 10 Dec 2019 17:25:05 GMT https://community.cisco.com/t5/network-security/asa-vpn-tunnel-phase-8-subtype-encrypt-drop/m-p/3996676#M4969 gerald.scott 2019-12-10T17:25:05Z https://community.cisco.com/t5/network-security/asa-vpn-tunnel-phase-8-subtype-encrypt-drop/m-p/3997079#M4970 <P>yes, lovely</P> Wed, 11 Dec 2019 10:09:41 GMT https://community.cisco.com/t5/network-security/asa-vpn-tunnel-phase-8-subtype-encrypt-drop/m-p/3997079#M4970 Chewbakka1 2019-12-11T10:09:41Z