Monday, January 13, 2014

Cisco ASA: VPN Debug Message - 'No SPI to identify Phase 2 SA!'

I was onsite at a customer today when they asked me to look at a VPN that had been configured.  They were not able to get VPN traffic across and were just now able to look at it.  I found that the VPN had been configured, and Phase I looked good and was "Active".  However, there was no Phase II happening on the VPN.  So I turned on 'debug cryp isa' and got the following messages:

ASA# Jan 13 10:28:43 [IKEv1]: Group =, IP =, QM FSM error (P2 struct &0xac7ebc00, mess id 0xff9846d6)!
Jan 13 10:28:43 [IKEv1]: Group =, IP =, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
Jan 13 10:28:43 [IKEv1]: Group =, IP =, Removing peer from correlator table failed, no match!

So I got the other side of the VPN contact info and called them.  It turns out that the other side was NAT'ing traffic to a different IP address than what my original IP address was.  The guy before me had not configured for that, so I asked him to not NAT the traffic.  Once he corrected his side, Phase II came up and we were passing traffic.  Looks good.

ASA# sh cryp ipsec sa peer
peer address:
    Crypto map tag: outside_map, seq num: 81, local addr:

      access-list VPNACL permit ip host host
      local ident (addr/mask/prot/port): (
      remote ident (addr/mask/prot/port): (

      #pkts encaps: 35, #pkts encrypt: 35, #pkts digest: 35
      #pkts decaps: 11, #pkts decrypt: 11, #pkts verify: 11
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 35, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.:, remote crypto endpt.:

      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: C19B46B3

No comments:

Post a Comment

Your comment will be reviewed for approval. Thank you for submitting your comments.