09-30-2019 04:23 PM
Hi everyone.
I'm trying to setup a VPN L2L using IKEv2. The tunnel is not up and I'm receiving this logs:
Sep 30 2019 16:02:11: %ASA-5-752003: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv2. Map Tag = VPN. Map Sequence Number = 11.
Sep 30 2019 16:02:11: %ASA-4-752011: IKEv1 Doesn't have a transform set specified
Sep 30 2019 16:02:11: %ASA-5-750001: Local:186.177.20.198:500 Remote:186.5.169.68:500 Username:Unknown Received request to establish an IPsec tunnel; local traffic selector = Address Range: 172.16.0.71-172.16.0.71 Protocol: 0 Port Range: 0-65535 ; remote traffic selector = Address Range: 10.1.113.254-10.1.113.254 Protocol: 0 Port Range: 0-65535
Sep 30 2019 16:02:11: %ASA-4-751015: Local:0.0.0.0:0 Remote:0.0.0.0:0 Username:Unknown SA request rejected by CAC. Reason: IN-NEGOTIATION SA LIMIT REACHED
Sep 30 2019 16:02:11: %ASA-4-752012: IKEv2 was unsuccessful at setting up a tunnel. Map Tag = VPN. Map Sequence Number = 11.
Sep 30 2019 16:02:11: %ASA-3-752015: Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= VPN. Map Sequence Number = 11.
Sep 30 2019 16:02:11: %ASA-7-752002: Tunnel Manager Removed entry. Map Tag = VPN. Map Sequence Number = 11.
I search about this logs but the information is not very usefull.
04-13-2023 03:17 AM
Question to ChatGPT: how to fix the following issue: Sep 30 2019 16:02:11: %ASA-4-751015: Local:0.0.0.0:0 Remote:0.0.0.0:0 Username:Unknown SA request rejected by CAC. Reason: IN-NEGOTIATION SA LIMIT REACHED
Answer from GPT (boy, aren't we in future already!?):
The error message "%ASA-4-751015: Local:0.0.0.0:0 Remote:0.0.0.0:0 Username:Unknown SA request rejected by CAC. Reason: IN-NEGOTIATION SA LIMIT REACHED" means that the maximum number of SAs (Security Associations) in the negotiation process has been reached and the ASA has rejected the request for a new SA. To fix this issue, you can increase the Call Admission Control (CAC) limit for the number of SAs in the negotiation process.
On a Cisco ASA, you can use the "crypto ikev2 policy" command to set the limit for IKEv2. For example, you can set the limit to 50 SAs by using the following command:
crypto ikev2 policy 10
proposal 1
match fvrf any
match identity remote any
sa - negotiation 50
After increasing the CAC limit, you may need to clear any existing SAs that are in the negotiation process or re-establish existing SAs to release resources and allow the new SAs to be negotiated. You can use the "clear crypto sa" command to clear SAs and the "clear crypto isakmp" command to clear ISAKMP (Internet Security Association and Key Management Protocol) SAs.
Keep in mind that increasing the CAC limit can affect the performance of your VPN device and network. It's important to ensure that your device has enough resources to support the increased limit before making any changes.
My comment: Well, not 100% yet, but closer every day :). It seems that provided commands are not applicable, but it gets pretty easy to finally find the answer to this very old question (also overall comments are great!):
crypto ikev2 limit max-in-negotiation-sa
04-13-2023 03:55 AM - edited 04-13-2023 04:17 AM
OLD post.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide