Announcement

Collapse
No announcement yet.

No SPI to identify Phase 2 SA!

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • No SPI to identify Phase 2 SA!

    site to site from my ASA5505 to a vendor ASA fail with the following Phase 2 error (Phase 1 completed):
    construct_ipsec_delete(): No SPI to identify Phase 2 SA!

    I found few references to pfs as the possible cause for this error, this is my pfs config:
    crypto dynamic-map outside_dyn_map 20 set pfs

    any ideas?

  • #2
    Re: No SPI to identify Phase 2 SA!

    Do both configs match?
    Can you post them both after removing identifiable info?

    Can you also post a show ver on both?
    cheers
    Andy

    Please read this before you post:


    Quis custodiet ipsos custodes?

    Comment


    • #3
      Re: No SPI to identify Phase 2 SA!

      I do not have the other side's config since it is a vendor and I do not control the ASA on his end
      mine is a new 5505 out of the box with the default settings
      this is the config:
      Code:
      crypto ipsec transform-set OTHERSIDE esp-3des esp-sha-hmac
      crypto dynamic-map outside_dyn_map 20 set pfs
      crypto dynamic-map outside_dyn_map 20 set reverse-route
      crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
      crypto map OTHERSIDEVPN 20 match address OTHERSIDE_FIX
      crypto map OTHERSIDEVPN 20 set peer xx.xx.xx.251
      crypto map OTHERSIDEVPN 20 set transform-set OTHERSIDE
      crypto map OTHERSIDEVPN interface outside
      crypto isakmp enable outside
      crypto isakmp policy 30
       authentication pre-share
       encryption 3des
       hash sha
       group 2
       lifetime 86400
      crypto isakmp nat-traversal  100

      Comment


      • #4
        Re: No SPI to identify Phase 2 SA!

        Well in that case ask thm for te config.
        There is only one thing important with Site-to-Site VPN's.

        Does te configs matches for example, encryption, lifetimes and networks.
        Marcel
        Technical Consultant
        Netherlands
        http://www.phetios.com
        http://blog.nessus.nl

        MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
        "No matter how secure, there is always the human factor."

        "Enjoy life today, tomorrow may never come."
        "If you're going through hell, keep going. ~Winston Churchill"

        Comment


        • #5
          Re: No SPI to identify Phase 2 SA!

          What Dumber said!

          There is a similar problem here
          http://www.tek-tips.com/viewthread.c...1409554&page=4
          and it still says mismatch between the two...
          cheers
          Andy

          Please read this before you post:


          Quis custodiet ipsos custodes?

          Comment


          • #6
            Re: No SPI to identify Phase 2 SA!

            I saw this link but I do not understand where in the Phase 2 configs you see anything related to subnets. it only uses the IP address of the peer and the remote ASA but there is no subnet value

            Comment


            • #7
              Re: No SPI to identify Phase 2 SA!

              I think the primary thing is to get some info from the other side. Can they not provide a cleaned "write term" for you?

              What do you have the OTHERSIDE_FIX ACL?
              cheers
              Andy

              Please read this before you post:


              Quis custodiet ipsos custodes?

              Comment


              • #8
                Re: No SPI to identify Phase 2 SA!

                access-list OTHERSIDE_FIX extended permit ip host MYSIDE_SERVER_IP host OTHERSIDE_SERVER_IP

                Comment

                Working...
                X