Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1407
Views
1
Helpful
2
Replies

ASA Site to Site IKEv2 Issues

molinait
Level 1
Level 1

‎09-30-2019 04:23 PM

Hi everyone.

 

I'm trying to setup a VPN L2L using IKEv2. The tunnel is not up and I'm receiving this logs:

 

Sep 30 2019 16:02:11: %ASA-5-752003: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv2. Map Tag = VPN. Map Sequence Number = 11.
Sep 30 2019 16:02:11: %ASA-4-752011: IKEv1 Doesn't have a transform set specified
Sep 30 2019 16:02:11: %ASA-5-750001: Local:186.177.20.198:500 Remote:186.5.169.68:500 Username:Unknown Received request to establish an IPsec tunnel; local traffic selector = Address Range: 172.16.0.71-172.16.0.71 Protocol: 0 Port Range: 0-65535 ; remote traffic selector = Address Range: 10.1.113.254-10.1.113.254 Protocol: 0 Port Range: 0-65535
Sep 30 2019 16:02:11: %ASA-4-751015: Local:0.0.0.0:0 Remote:0.0.0.0:0 Username:Unknown SA request rejected by CAC. Reason: IN-NEGOTIATION SA LIMIT REACHED
Sep 30 2019 16:02:11: %ASA-4-752012: IKEv2 was unsuccessful at setting up a tunnel. Map Tag = VPN. Map Sequence Number = 11.
Sep 30 2019 16:02:11: %ASA-3-752015: Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= VPN. Map Sequence Number = 11.
Sep 30 2019 16:02:11: %ASA-7-752002: Tunnel Manager Removed entry. Map Tag = VPN. Map Sequence Number = 11.

 

I search about this logs but the information is not very usefull.

1 person had this problem
Labels:
2 Replies 2

Alexandr Alakin
Level 1
Level 1

‎04-13-2023 03:17 AM

Question to ChatGPT: how to fix the following issue: Sep 30 2019 16:02:11: %ASA-4-751015: Local:0.0.0.0:0 Remote:0.0.0.0:0 Username:Unknown SA request rejected by CAC. Reason: IN-NEGOTIATION SA LIMIT REACHED

Answer from GPT (boy, aren't we in future already!?):

The error message "%ASA-4-751015: Local:0.0.0.0:0 Remote:0.0.0.0:0 Username:Unknown SA request rejected by CAC. Reason: IN-NEGOTIATION SA LIMIT REACHED" means that the maximum number of SAs (Security Associations) in the negotiation process has been reached and the ASA has rejected the request for a new SA. To fix this issue, you can increase the Call Admission Control (CAC) limit for the number of SAs in the negotiation process.

On a Cisco ASA, you can use the "crypto ikev2 policy" command to set the limit for IKEv2. For example, you can set the limit to 50 SAs by using the following command:

crypto ikev2 policy 10
  proposal 1
  match fvrf any
  match identity remote any
  sa - negotiation 50

After increasing the CAC limit, you may need to clear any existing SAs that are in the negotiation process or re-establish existing SAs to release resources and allow the new SAs to be negotiated. You can use the "clear crypto sa" command to clear SAs and the "clear crypto isakmp" command to clear ISAKMP (Internet Security Association and Key Management Protocol) SAs.

Keep in mind that increasing the CAC limit can affect the performance of your VPN device and network. It's important to ensure that your device has enough resources to support the increased limit before making any changes.

My comment: Well, not 100% yet, but closer every day :). It seems that provided commands are not applicable, but it gets pretty easy to finally find the answer to this very old question (also overall comments are great!):

crypto ikev2 limit max-in-negotiation-sa

HTH Alexandr
0 Helpful

MHM Cisco World
VIP
VIP

‎04-13-2023 03:55 AM - edited ‎04-13-2023 04:17 AM

OLD post. 

0 Helpful
Customers Also Viewed These Support Documents