Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1475
Views
5
Helpful
2
Replies

Multiple access list site to site vpn get "IPSEC ERROR: Failed to send the message to IKE"

Go to solution
am1r007
Level 1
Level 1

‎10-18-2019 12:06 AM - edited ‎02-21-2020 09:46 PM

I have set up site to site vpn between asa 5508 and mikrotik. Everything is fine when  I use only one access list. I got the problem when i add some access list to crypto map.  In debug I got massage "IPSEC ERROR: Failed to send the message to IKE".

here is my access list:

access-list client_traffic extended permit ip 192.168.21.34 255.255.255.255 192.168.33.105 255.255.255.255
access-list client_traffic extended permit ip 192.168.21.35 255.255.255.255 192.168.33.44 255.255.255.255
access-list client_traffic extended permit ip 192.168.21.35 255.255.255.255 192.168.33.45 255.255.255.255
access-list client_traffic extended permit ip 192.168.21.35 255.255.255.255 192.168.33.46 255.255.255.255
access-list client_traffic extended permit ip 192.168.21.35 255.255.255.255 192.168.33.47 255.255.255.255
access-list client_traffic extended permit ip 192.168.21.35 255.255.255.255 192.168.33.67 255.255.255.255
access-list client_traffic extended permit ip 192.168.21.34 255.255.255.255 192.168.33.67 255.255.255.255
access-list client_traffic extended permit icmp 192.168.17.165 255.255.255.255 192.168.10.1 255.255.255.255

 

i use asa cversion 9.8(2).

 

Thanks for advice

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP

‎10-18-2019 06:36 AM

Sounds like the Microtik is uses route based VPN which causes the VPN to setup a new tunnel for each subnet, while ASA sends all subnets through the same tunnel.

"Setting Mikrotik IPSec Policy with the ‘require’ level (default option) causes the router to create a single SA with the remote peer."

ref:

https://blog.bravi.org/?p=1209

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

2 Replies 2

Go to solution
Marius Gunnerud
VIP
VIP

‎10-18-2019 06:36 AM

Sounds like the Microtik is uses route based VPN which causes the VPN to setup a new tunnel for each subnet, while ASA sends all subnets through the same tunnel.

"Setting Mikrotik IPSec Policy with the ‘require’ level (default option) causes the router to create a single SA with the remote peer."

ref:

https://blog.bravi.org/?p=1209

--
Please remember to select a correct answer and rate helpful posts

Go to solution
am1r007
Level 1
Level 1
In response to Marius Gunnerud

‎10-18-2019 06:29 PM

Great!!!!
Thanks
You've healed my a week headache. :)

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents