Showing results for 
Search instead for 
Did you mean: 

Core issue

These are among the reasons for this issue:

  • Mismatching phase one policies

  • Mismatching crypto Access Control Lists (ACLs)

  • Wrong IP address defined for peer on either devices
  • NAT bypass

  • Mismatching pre-share key

  • Perfect Forward Secrecy (PFS) is enabled or disabled on either end


To resolve this issue, perform these steps:

  1. Check if phase one comes up or not. If not, match the Internet Security Association and Key Management Control Policies (ISAKMP), pre-share key and IP address for peer.

  2. If phase two does not come up, match the ACLs, and make sure that natting is being bypassed.

  3. If everything matches and the tunnel is still not coming up, determine if PFS is enable or disabled. PFS must be enabled or disabled on both ends.

PFS is a cryptographic characteristic associated with a derived shared secret value. With PFS, if one key is compromised, previous and subsequent keys are not compromised because subsequent keys are not derived from previous keys.

Note: PFS is disabled by default on Adaptive Security Appliance (ASA).

For addition information about PFS, refer to the Configuring Perfect Forward Secrecy section of Configuring Group Policies.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Quick Links