Firewall Wizards mailing list archives
Pix LAN-To-LAN Problem
From: cs 2004 <cskb2004 () yahoo com>
Date: Thu, 17 Jun 2004 06:31:18 -0700 (PDT)
Hi wizards, I have a typical problem negotiating LAN-To-LAN VPN tunnels from my pix. I myself have worked on various IPSEC supportive devices including the PIX, but for some reason, this is really troubling me now. Here is the scenario: I have PIX on my side and a Cisco concentrator on the customer end. The tunnel can successfully be established when initiated by the customer (Concentrator 3030); all traffic then passes normally. When initiated from our side (PIX 535) we immediately receive "IPSEC(sa_initiate): ACL = deny; no sa created" while running "debug crypto ipsec" and "debug crypto isakmp". We have other VPN tunnels that function correctly both from the trusted and untrusted networks. I have a border router above my firewall and no filtering on that device. This problem "IPSEC(sa_initiate): ACL = deny; no sa created" happens everytime , i create a new tunnel, and dont know what happens, but with every customer i see this error, I tell them to make sure the proxy configurations match and UDP 500 traffic allowed on their border routers, they do some change and it goes through. But for this particular tunnel, I just keep getting the same error. Its entirely possible that remote end is the problem, however I want to rule out possible misconfiguration on my end. Any clue? suggestions. Best Chandan __________________________________ Do you Yahoo!? Take Yahoo! Mail with you! Get it on your mobile phone. http://mobile.yahoo.com/maildemo _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Pix LAN-To-LAN Problem cs 2004 (Jun 18)
- <Possible follow-ups>
- RE: Pix LAN-To-LAN Problem Melson, Paul (Jun 21)