06-30-2009 02:55 AM
Hi,
Is there a configuration document available to assist in configuring a CISCO 871 as EasyVPN Server with an ASA 5505 as Client?
I have found a document with the connection the other way round (ASA as server and 871 as client) here: http://www.cisco.com/application/pdf/paws/68815/ezvpn-asa-svr-871-rem.pdf but it's not what I want.
Alternatively I've setup a site-to-site VPN between the two devices but keep getting "%CRYPTO-4-IKMP_NO_SA: IKE message from x.x.x.x has no SA and is not an initialization offer", so it doesn't complete phase II.
I've reloaded both devices and cleared all old SA's with no luck.
Thanks,
Mario
06-30-2009 03:11 AM
Check your config - you are missing some if you are receving that error.
07-01-2009 05:46 AM
I've been comparing the 871 config with that on a current PIX 501 that allows the site-to-site to come up with no problem.
On the 871, I've also tried connecting to a second VPN site (also working from the 501) with the same resulting error messages.
This does lead to something missing or incorrect on the 871.
On both with the 501 and the 871, I used the SDM GUI to create the site-to-site to the two locations. Is there a 'bug' or known issue with the GUI for the 871 that causes confi to be missing?
I've compared my config (attached here with private info removed), but haven't been able to to spot the problem yet.
I would think the VPN should be easier to setup on the 871 as it's a newer model with updated software compared to the 501.
Mario
07-01-2009 07:05 AM
Question - does the PIX have a static outside IP address?? As the router has a dhcp address?
07-01-2009 07:26 AM
No, the PIX is DHCP too on the same line.
The 871 is planned to replace the PIX, so I simply unplug the WAN connection from the PIX, plug it into the 871 and reload / no shut the WAN interface on the 871 to obtain the DHCP address - DHCP address is the same each time so far.
I know the configs are slightly different between the two in terms of syntax etc., but it doesn't make sense the SDM on the 871 doesn't work properly - thi sis also with a 'clean' config i.e. write erase the 871 and start with only internet access (nat), then apply the site-to-site wizard.
07-23-2009 05:37 AM
Just in case someone reads this post later on and wants to know if it was solved...
This was eventually solved by resetting the 871 config clean and configuring the device step-by-step via the command-line.
Not sure why the SDM 2.5 interface caused problems though.
Cheers
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide