cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3852
Views
0
Helpful
1
Replies
Highlighted
Beginner

ASA 5520 to 5510 VPN Not Creating IPSEC SA's

i have a L2L ipsec tunnel built between a 5520 and 5510. i am pretty sure i have configured everything i need to but when i do a show cry ipsec sa there is nothing there.  i am sure the firewalls inbetween are opened up to allow the connections as well. also everytime i configured a part of the cryptomap like command: crypto map outside_map 10 set peer 6.7.0.13 it would come back with this error

[IKEv1]: Ignoring msg to mark SA with specified coordinates <outside_map, 10> dead.

any ideas?

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ASA 5520 to 5510 VPN Not Creating IPSEC SA's

Hi,

Could you please paste the output of the following command "show run crypto" from both the ASAs. Also what do you see when you give "show cry isa sa".

Also if your crypto ACLs for the tunnel have  something like this "access-list ACL extended permit tcp host 192.168.11.11 host 10.1.100.105 eq ftp"

Change the ACL to ip i.e. "access-list ACL extended permit ip host 192.168.11.11 host 10.1.100.105 " Let me know if that helps

Thanks,

Namit

1 REPLY 1
Cisco Employee

Re: ASA 5520 to 5510 VPN Not Creating IPSEC SA's

Hi,

Could you please paste the output of the following command "show run crypto" from both the ASAs. Also what do you see when you give "show cry isa sa".

Also if your crypto ACLs for the tunnel have  something like this "access-list ACL extended permit tcp host 192.168.11.11 host 10.1.100.105 eq ftp"

Change the ACL to ip i.e. "access-list ACL extended permit ip host 192.168.11.11 host 10.1.100.105 " Let me know if that helps

Thanks,

Namit