Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

No SPI to identify Phase 2 SA!

Status
Not open for further replies.
Tekmazter

Tekmazter

IS-IT--Management
Mar 26, 2002
164
US
ASA 5510 7.2(3) and trying to setup L2L but receive the following error in PHASE II when trying to establish tunnel:

construct_ipsec_delete(): No SPI to identify Phase 2 SA!

This one is new to me. Phase I goes smoothly, Phase II is where the hang up is. I'm waiting to speak to the remote site about what equipment they're using and settings etc... but thought perhaps someone might be familiar with this one.

IPsec settings for this tunnel are as follows:
PFS: NO
Transform Set: ESP-3DES-MD5
Connection Type: bidirectional
SA Lifetime: default (8 hours)
Traffic Volume: default (4608000 Kbytes)
IKE Negotiation: Main Mode
I am not NAT'ing any tunnel traffic on my side.
 
Sort by date Sort by votes
Solved this issue ... subnet mismatch on the IPsec parameters.

Matched subnets, Phase II completed as usual and everything is online.

Curious to note that information on this error was extremely limited on the web. Searching for Security Parameter Index had me looking in the direction of possible authentication mismatch e.g. AH vs ESP.

Hopefully this helps someone out sometime.

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
1K
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
AnyConnect + Azure + SAML
Replies
0
Views
642
Sparrow4
Sparrow4
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
809
Johnkite
Johnkite
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
770
nnaarrnn
nnaarrnn
ISDPCMAN
  • Locked
  • Question
Cannot connect to TZ-215 Sonicwall appliance with web browser!
Replies
0
Views
248
ISDPCMAN
ISDPCMAN

Part and Inventory Search

Sponsor

Back
Top