Announcement

Collapse
No announcement yet.

No SPI to identify Phase 2 SA!

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • chuku
    started a topic No SPI to identify Phase 2 SA!

    No SPI to identify Phase 2 SA!

    site to site from my ASA5505 to a vendor ASA fail with the following Phase 2 error (Phase 1 completed):
    construct_ipsec_delete(): No SPI to identify Phase 2 SA!

    I found few references to pfs as the possible cause for this error, this is my pfs config:
    crypto dynamic-map outside_dyn_map 20 set pfs

    any ideas?

  • chuku
    replied
    Re: No SPI to identify Phase 2 SA!

    access-list OTHERSIDE_FIX extended permit ip host MYSIDE_SERVER_IP host OTHERSIDE_SERVER_IP

    Leave a comment:


  • AndyJG247
    replied
    Re: No SPI to identify Phase 2 SA!

    I think the primary thing is to get some info from the other side. Can they not provide a cleaned "write term" for you?

    What do you have the OTHERSIDE_FIX ACL?

    Leave a comment:


  • chuku
    replied
    Re: No SPI to identify Phase 2 SA!

    I saw this link but I do not understand where in the Phase 2 configs you see anything related to subnets. it only uses the IP address of the peer and the remote ASA but there is no subnet value

    Leave a comment:


  • AndyJG247
    replied
    Re: No SPI to identify Phase 2 SA!

    What Dumber said!

    There is a similar problem here
    http://www.tek-tips.com/viewthread.c...1409554&page=4
    and it still says mismatch between the two...

    Leave a comment:


  • Dumber
    replied
    Re: No SPI to identify Phase 2 SA!

    Well in that case ask thm for te config.
    There is only one thing important with Site-to-Site VPN's.

    Does te configs matches for example, encryption, lifetimes and networks.

    Leave a comment:


  • chuku
    replied
    Re: No SPI to identify Phase 2 SA!

    I do not have the other side's config since it is a vendor and I do not control the ASA on his end
    mine is a new 5505 out of the box with the default settings
    this is the config:
    Code:
    crypto ipsec transform-set OTHERSIDE esp-3des esp-sha-hmac
    crypto dynamic-map outside_dyn_map 20 set pfs
    crypto dynamic-map outside_dyn_map 20 set reverse-route
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map OTHERSIDEVPN 20 match address OTHERSIDE_FIX
    crypto map OTHERSIDEVPN 20 set peer xx.xx.xx.251
    crypto map OTHERSIDEVPN 20 set transform-set OTHERSIDE
    crypto map OTHERSIDEVPN interface outside
    crypto isakmp enable outside
    crypto isakmp policy 30
     authentication pre-share
     encryption 3des
     hash sha
     group 2
     lifetime 86400
    crypto isakmp nat-traversal  100

    Leave a comment:


  • AndyJG247
    replied
    Re: No SPI to identify Phase 2 SA!

    Do both configs match?
    Can you post them both after removing identifiable info?

    Can you also post a show ver on both?

    Leave a comment:

Working...
X