Showing results for 
Search instead for 
Did you mean: 

VPN is not coming UP


Hi Experts,

I have a PIX515E. I need to create a vpn to my clients office. PIX is alerady having two VPN, among two one is a dynamic VPN to a dynamic IP of netgear router.

I tried to create a new IPSEC vpn to a gateway loadbalancer.Device is PLANET MH2001. It is our client premises.

It has two gateway(public IP). Configuration in MH2001 is pretty simple. and i have completed it.

I have also completed configuration in PIX using ASDM. But the VPN is not up till now.

I have checked the logs in MH2001-->

"S2SVPN" #3701: max number of retransmissions (0) reached STATE_MAIN_I3.  Possible authentication failure: no acceptable response to our first encrypted message”

But in PIX side i didnt get log yet. I gave " sh isakmp sa" "sh ipsec sa" But it is not showing anything.... No IKE phase....

As i said MH2001 has two public IPs. and one LAN range. But i configured tunnel-group to only one public IP.

Still Nothing.. no isakmp phase for this VPN....

What should be reason???

Please see the below configuration i Have done.

Did i configure anything wrong??? or do i need to add anything more???? Please suggest...........

A.A.A.A and B.B.B.b are the two public IPs of MH2001.

access-list outside_2_cryptomap extended permit ip <insidelocal> <outsidelocal>
access-list inside_nat0_outbound extended permit ip <insidelocal> <outsidelocal>
nat (inside) 0 access-list inside_nat0_outbound
route outside <outsidelocal> A.A.A.A 1

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set New_Trfm_Dyn_S2S esp-3des esp-sha-hmac

crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set peer B.B.B.B
crypto map outside_map 2 set transform-set New_Trfm_Dyn_S2S
crypto map outside_map 3 match address outside_2_cryptomap
crypto map outside_map 3 set peer A.A.A.A
crypto map outside_map 3 set transform-set ESP-3DES-SHA

crypto isakmp identity address
crypto isakmp enable outside

crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 3600

tunnel-group B.B.B.B type ipsec-l2l
tunnel-group B.B.B.B ipsec-attributes
pre-shared-key *

tunnel-group A.A.A.A type ipsec-l2l
tunnel-group A.A.A.A ipsec-attributes
pre-shared-key *



Thanks and Regards, Vipin
1 Reply 1

Parminder Sian

Hi Vipin,

To begin with, I do not see command " crypto map outside_map interface outside" in your config.

Also, have a look at following links:-

For new vpn tunnel:-

To add new vpn tunnel on PIX with existing config:-

Hope this helps,


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers