Re: [fw-wiz] asa 5505 vpn ipsec l2l problem



On Fri, Oct 2, 2009 at 5:09 AM, Hrvoje Popovski <hrvoje@xxxxxxx> wrote:

hello eveyone,

i have asa 5505 with Base license and 7.2.4 sofware.

i'm trying to create l2l ipsec tunnel reading manual on

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/site2sit.html

and when i'm applying acl in crypto map
crypto map abcMap 1 match address acl
i'm getting this log:
Ignoring msg to mark SA with specified coordinates <abcMap, 1> dead

i don't have any debug messages (debug crypto ipsec 100)
google it but haven't found any answer.

thank you for your answers!

acl
access-list acl extended permit tcp host 192.168.11.11 host 10.1.100.13 eq
4000
access-list acl extended permit tcp host 192.168.11.11 host 10.1.110.250 eq
4000
access-list acl extended permit tcp host 192.168.11.11 eq ftp host
10.1.100.105 eq ftp
access-list acl extended permit tcp host 192.168.11.11 host 10.1.100.105 eq
ftp-data
access-list acl extended permit tcp host 192.168.11.12 host 10.1.100.13 eq
4000
access-list acl extended permit tcp host 192.168.11.12 host 10.1.110.250 eq
4000
access-list acl extended permit tcp host 192.168.11.12 host 10.1.100.105 eq
ftp
access-list acl extended permit tcp host 192.168.11.12 host 10.1.100.105 eq
ftp-data



If you're not seeing IPsec build the tunnel with debug crypto, I would guess
that traffic is getting NAT'd out, and not hitting the tunnel (by the way,
you probably only need debug crypto ipsec 5, not 100...)


Do you have NAT setup on the 5505? If you do, do you have a NAT exclude ACL
setup that excludes "your device networks -> remote device networks"?

--
Eric
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards