Re: Site to Site VPN

sameermunj · ‎02-25-2011

Hi

I am configuring site to site ipsec vpn tunnel between ASA5520 & Cisco router wherein i am getting below error

Queuing-key-acquire-messages-to-be-processed-when-p1-sa-is-complete”

i have checked teh log message guide for ASA but couldnt get any reference for the same..

can anyone please let me know the meaning of the error message and the cause for the same.

Thanks\

\

andrew.prince · ‎02-25-2011

Try the below

no crypto isakmp identity hostname
crypto isakmp identity address
clear cryp is sa
clear cryp ip sa

HTH>

andamani · ‎02-25-2011

Hi,

The following link will give you details of the error message and the reason behind it:

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution15

Error Message    %PIX|ASA-6-713219: Queueing KEY-ACQUIRE messages to be processed when 
P1 SA is complete.

This message indicates that Phase 2 messages are being enqueued after Phase 1 completes. This error message might be due to one of these reasons:

Mismatch in phase on any of the peers
ACL is blocking the peers from completing phase 1

This message usually comes after the Removing peer from peer table failed, no match! error message.

If the Cisco VPN Client is unable to connect the head-end device, the problem can be the mismatch of ISAKMP Policy. The head-end device must match with one of the IKE Proposals of the Cisco VPN Client.

Note: For the ISAKMP policy and IPsec Transform-set that is used on the PIX/ASA, the Cisco VPN client cannot use a policy with a combination of DES and SHA. If you use DES, you need to use MD5 for the hash algorithm, or you can use the other combinations, 3DES with SHA and 3DES with MD5.

Hope this helps.

Regards,

Anisha

P.S.: Please mark this thread as answered if you feel your query is answered. Do rate helpful posts.