Showing results for 
Search instead for 
Did you mean: 

site-to-site between 2 ASA 5505s: "received non-routine Notify message: No proposal chosen"


Hello everyone,

Trying to set up a site-to-site VPN tunnel for a new building.

At our central site we have KSIASA01, which has been running as a remote access VPN server with a static IP address, no NAT.

At our new site we have KSIASA03, brand new ASA, outside address is DHCP, no NAT.

Attempts to build a tunnel are failing with "received non-routine Notify message: No proposal chosen." ISAKMP policies look like they match, but I'm thinking there's something involving the remote access VPN setup on KSIASA01 that is confusing things. Not sure what, though.

I have attached sanitized configs for both ASAs. Also, a debug from KSIASA03 taken as I tried to send traffic from that site to the central site. Thanks in advance for your help!

2 Replies 2

Jan Rolny


I tried to go through your config and it seems that hosts or list of addresses are not same in crypto map.

On ksiasa01 you are using outside_cryptomap_20.100 and for this you are using following rule

access-list outside_cryptomap_20.100 extended permit ip object-group Plant1-Plant2-MOS Plant3

Please notice that in Plant1-Plant2-MOS you have much more networks(about 8 subnets) included than on ksiasa03(just 3 subnets).

Also for ksiasa03 you have two access lists for outside_1_cryptomap. One permits ip and second permits icmp.

So probably this does not match on both sides and IPSEC will not form.



Hi Jan,

Thanks for the tip. I changed the network group Plant1-Plant2-MOS on ksiasa01 to match the one on ksiasa03. Also, I removed the ACL for icmp on outside_1_cryptomap. Still no luck, unfortunately.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers