Mine: PIX 520 running 6.3(3) with 120+ vpn tunnels up and running; Theirs: PIX 500 series running 6.3(3) with several (a dozen or so) vpn tunnels as well.
Tunnel will initiate and come up normally when they send traffic from the servers on their side to my servers. As long as they initiate the tunnel, I can get to them, and vice-versa. If the tunnel is down, I am not able to bring it up - I get the error message in my debugs:
"IPSEC(sa_initiate): ACL = deny; no sa created" ...???
We have verified phase 1 and 2 parameters, and it is not an acl mismatch - those have been checked many times. PSK's match, etc. - we cannot find a discrepancy in the configs between the two firewalls. Cisco has no answer either - the case has been open a week, and they are back to asking for my configs and debug output. Starting over at square 1...
I can't understand why they can bring the tunnel up, but my side cannot? I've got many vpn tunnels up and running, and have done this many times. Thanks in advance, any and all help is appreciated.
jrichv
Tunnel will initiate and come up normally when they send traffic from the servers on their side to my servers. As long as they initiate the tunnel, I can get to them, and vice-versa. If the tunnel is down, I am not able to bring it up - I get the error message in my debugs:
"IPSEC(sa_initiate): ACL = deny; no sa created" ...???
We have verified phase 1 and 2 parameters, and it is not an acl mismatch - those have been checked many times. PSK's match, etc. - we cannot find a discrepancy in the configs between the two firewalls. Cisco has no answer either - the case has been open a week, and they are back to asking for my configs and debug output. Starting over at square 1...
I can't understand why they can bring the tunnel up, but my side cannot? I've got many vpn tunnels up and running, and have done this many times. Thanks in advance, any and all help is appreciated.
jrichv