That bug doesn't apply, you don't have multiple crypto maps with the same name, unless you truncated the output of your show run.
The previous poster was right, look at your protected networks, they don't match on both sides, also, if you have a dynamic cryptomap (whih I don't see but could be truncated off the list), the dynamic map needs to be placed at the bottom of hte list, or it could cause SA issues as well.
Other things to check, NAT-T, verify ISAKMP is enabled properly etc. I have seen the ASA ASDM leave off the ISAKMP configuration before.
But I think your mis-matched ACL / protected networks is your problem.
Craig
--- On Thu, 7/23/09, Teu Kim Loon e<5i�&e+ <kim.teu_at_gmail.com> wrote:
> From: Teu Kim Loon e<5i�&e+ <kim.teu_at_gmail.com>
> Subject: Re: IPSec VPN - Interesting traffic only trigger crypto map from one end
> To: "Alberto Rivai" <bartoqid_at_yahoo.com>
> Cc: "Cisco certification" <security_at_groupstudy.com>, ccielab_at_groupstudy.com
> Date: Thursday, July 23, 2009, 9:21 AM
> Below is the error I see when trying
> to initiate connections behind PIX.B On
> the ASA side, I didn't see any error or traffic.
> IPSEC(sa_initiate): ACL = deny; no sa created
> IPSEC(sa_initiate): ACL = deny; no sa created
> IPSEC(sa_initiate): ACL = deny; no sa created
> IPSEC(sa_initiate): ACL = deny; no sa created
>
> I found this bug. Is this application to PIX?
> "Configuring two crypto map entries using the same name but
> different
> priorities, different peers, different access lists, causes
> the
> second crypto map entry to be ineffective and no
> corresponding
> security associations are established. [...]
> The workaround is to avoid configuring two crypto map
> entries with
> the same name but different priority, different peers, and
> different
> access lists [...] (CSCea25305)"
>
>
>
> <<<<ASA Config>>>>
>
> object-group network BRAZIL_REMOTE
> network-object 192.168.95.128 255.255.255.128
> network-object 192.168.96.0 255.255.254.0
> object-group network BRAZIL_LOCAL
> network-object host 144.72.247.54
> network-object 172.26.39.0 255.255.255.0
> network-object 192.168.120.0 255.255.255.0
> network-object 192.168.122.0 255.255.255.0
> network-object 192.168.124.0 255.255.255.0
> network-object 172.26.72.0 255.255.254.0
> network-object 172.17.248.0 255.255.248.0
>
> access-list L2L_BRAZIL extended permit ip object-group
> BRAZIL_LOCAL
> object-group BRAZIL_REMOTE
>
> crypto ipsec transform-set L2L_GM_BRAZIL esp-des
> esp-md5-hmac
>
> group-policy 1.1.1.1 internal
> group-policy 1.1.1.1 attributes
> vpn-tunnel-protocol ipsec
> vpn-filter none
> vpn-idle-timeout none
> webvpn
> functions none
>
> tunnel-group 1.1.1.1 type ipsec-l2l
> tunnel-group 1.1.1.1 general-attributes
> default-group-policy 1.1.1.1
> accounting-server-group default_ar
> tunnel-group 1.1.1.1 ipsec-attributes
> pre-shared-key XXXXXXX
> no chain
> no trust-point
> isakmp keepalive disable
> peer-id-validate req
>
> crypto map static-map 5 match address L2L_BRAZIL
> crypto map static-map 5 set peer 1.1.1.1
> crypto map static-map 5 set transform-set L2L_BRAZIL
> crypto map static-map 5 set security-association lifetime
> seconds 86400
> crypto map static-map 5 set security-association lifetime
> kilobytes 4608000
> crypto map static-map 5 set nat-t-disable
> crypto map static-map 5 set phase1-mode aggressive
> crypto map static-map 5 set connection-type bi-directional
>
> crypto map static-map interface outside
> crypto isakmp enable outside
>
> <<<<PIX Config>>>>
>
> access-list dallas1_vpn permit ip 192.168.95.128
> 255.255.255.128
> 192.168.120.0 255.255.255.0
> access-list dallas1_vpn permit ip 192.168.96.0
> 255.255.254.0 192.168.120.0
> 255.255.255.0
> access-list dallas1_vpn permit ip 192.168.95.128
> 255.255.255.128 172.26.39.0
> 255.255.255.0
> access-list dallas1_vpn permit ip 192.168.96.0
> 255.255.254.0 172.26.39.0
> 255.255.255.0
> access-list dallas1_vpn permit ip 192.168.95.128
> 255.255.255.128
> 192.168.122.0 255.255.255.0
> access-list dallas1_vpn permit ip 192.168.96.0
> 255.255.254.0 192.168.122.0
> 255.255.255.0
> access-list dallas1_vpn permit ip 192.168.95.128
> 255.255.255.128
> 192.168.124.0 255.255.255.0
> access-list dallas1_vpn permit ip 192.168.96.0
> 255.255.254.0 192.168.124.0
> 255.255.255.0
> access-list dallas1_vpn permit ip 192.168.95.128
> 255.255.255.128 172.26.72.0
> 255.255.254.0
> access-list dallas1_vpn permit ip 192.168.96.0
> 255.255.254.0 172.26.72.0
> 255.255.254.0
> access-list dallas1_vpn permit ip 192.168.96.0
> 255.255.254.0 host
> 144.72.247.54
> access-list dallas1_vpn permit ip 192.168.95.128
> 255.255.255.128 host
> 144.72.247.54
> access-list dallas1_vpn permit ip 192.168.95.128
> 255.255.255.128
> 172.17.248.0 255.255.248.0
> access-list dallas1_vpn permit ip 192.168.96.0
> 255.255.254.0 172.17.248.0
> 255.255.248.0
>
> nat (inside) 0 access-list inside_nonat
> access-list inside_nonat permit ip any 192.168.122.0
> 255.255.255.0
> access-list inside_nonat permit ip any 192.168.124.0
> 255.255.255.0
> ....
>
> crypto map Tempe interface outside
> isakmp enable outside
> isakmp key ******** address 2.2.2.2 netmask 255.255.255.255
> no-xauth
> no-config-mode
>
> crypto map Tempe 20 ipsec-isakmp
> crypto map Tempe 20 match address dallas1_vpn
> crypto map Tempe 20 set peer 2.2.2.2
> crypto map Tempe 20 set transform-set Tempe
> crypto map Tempe 20 set security-association lifetime
> seconds 86400
> kilobytes 4602000
>
>
>
> On Thu, Jul 23, 2009 at 7:49 AM, Alberto Rivai <bartoqid_at_yahoo.com>
> wrote:
>
> > Usually its because wrong access-list to match the
> encrypted traffic,
> > common
> > mistake
> >
> > --- On Thu, 7/23/09, Teu Kim Loon e<5i &e+
> <kim.teu_at_gmail.com>
> wrote:
> >
> > From: Teu Kim Loon e<5i &e+ <kim.teu_at_gmail.com>
> > Subject: IPSec VPN - Interesting traffic only trigger
> crypto map fromB one
> > end
> > To: "Cisco certification" <security_at_groupstudy.com>,
> > ccielab_at_groupstudy.com
> > Date: Thursday, July 23, 2009, 10:14 AM
> >
> > Hello Experts,
> > IPSec VPN between ASA 8.0 and PIX 6.3.BB I
> verified identical IKE and IPSec
> > configuration on both ends.BB However, I am only
> able to initiate
> > connection
> > from ASA.
> >
> > Any idea why?
> >
> > Thanks.
> > Kim
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> >
> _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
> >
>
>
> --
> May All Behappy!!!
> Kim Loon Teu
> UE=uBW
> CCIE 19369
> www.kimteu.com
> http://www.linkedin.com/in/kimteu
>
> All conditioned phenomena
> Are like a dream, an illusion, a bubble, a shadow
> Like the dew, or like lightning
> You should discern them like this
> R;GPSPN*7(#,HgCN;CE]S0#,HgB6R`Hg5g#,S&WwHgJG9[
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Thu Jul 23 2009 - 08:55:32 ART