Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
465
Views
0
Helpful
4
Replies

PIX to PIX VPN - error log

Go to solution
b.meyers
Level 1
Level 1

‎12-09-2002 04:26 PM - edited ‎02-21-2020 12:13 PM

I have created a VPN between our PIX and our clients PIX but receiving the following error when I try to activate tunnnel. I have verified the ACL's on both ends. Any Ideas??

ISADB: reaper checking SA 0x80da9618, conn_id = 0IPSEC(sa_initiate): ACL = deny;

no sa created

IPSEC(sa_initiate): ACL = deny; no sa created

IPSEC(sa_initiate): ACL = deny; no sa created

IPSEC(sa_initiate): ACL = deny; no sa created

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎12-09-2002 05:13 PM

I've seen this a few times. Usually removing the crypto map from the interface and re-applying it resolves it, sometimes you have to remove both the crypto map and the "isakmp enable outside" and put them both back in.

This message is also sometimes to do with something wrong in the configuration, so re-check your ACL's and your transform sets, etc.

View solution in original post

0 Helpful

Go to solution
ajagadee
Cisco Employee
Cisco Employee

‎12-09-2002 05:15 PM

Hi,

Couple of things to check:

1. When you tried to ping or send some traffic accross the VPN Tunnel to the new peer, does this traffic match the ACL for VPN traffic to the remote site.

2. If it matches, then make sure that there are no access-group on the pix that is blocking this traffic

3. Is it possible to re-enter the pre-shared keys on both the sides and also check to make sure that the isakmp and ipsec policies match.

4. What happens if you inititate the VPN Tunnel from the remote pix. Do you see any debugs on the local pix.

5. Make sure that there are no overlapping networks with the other peers.

6. The nat 0 ACL should include the traffic for this peer as well.

7. Can you remove the crypto map off the interface and do a "clear cry is sa" and " clear cry ipsec sa " and then reaplly the crypto map and see if your tunnel comes up.

Regads,

Arul

View solution in original post

0 Helpful
4 Replies 4

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎12-09-2002 05:13 PM

I've seen this a few times. Usually removing the crypto map from the interface and re-applying it resolves it, sometimes you have to remove both the crypto map and the "isakmp enable outside" and put them both back in.

This message is also sometimes to do with something wrong in the configuration, so re-check your ACL's and your transform sets, etc.

0 Helpful

Go to solution
b.meyers
Level 1
Level 1
In response to gfullage

‎12-12-2002 08:14 AM

Thanks man!

I did a couple things like reapplied the ACL and the Crypto map. Thanks for the help!

Brian

0 Helpful

Go to solution
ajagadee
Cisco Employee
Cisco Employee

‎12-09-2002 05:15 PM

Hi,

Couple of things to check:

1. When you tried to ping or send some traffic accross the VPN Tunnel to the new peer, does this traffic match the ACL for VPN traffic to the remote site.

2. If it matches, then make sure that there are no access-group on the pix that is blocking this traffic

3. Is it possible to re-enter the pre-shared keys on both the sides and also check to make sure that the isakmp and ipsec policies match.

4. What happens if you inititate the VPN Tunnel from the remote pix. Do you see any debugs on the local pix.

5. Make sure that there are no overlapping networks with the other peers.

6. The nat 0 ACL should include the traffic for this peer as well.

7. Can you remove the crypto map off the interface and do a "clear cry is sa" and " clear cry ipsec sa " and then reaplly the crypto map and see if your tunnel comes up.

Regads,

Arul

0 Helpful

Go to solution
b.meyers
Level 1
Level 1
In response to ajagadee

‎12-12-2002 08:16 AM

Thanks for the help. The issue was reslolved by removing and reapplying the ACL and crypto map.

Thanks for your Help!

Brian

0 Helpful
Customers Also Viewed These Support Documents