We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now


Setting up a l2l vpn between 2 ASA

Rick5225 asked
Medium Priority
Last Modified: 2012-05-06
Hello All,

I'm setting up an ipsec l2l vpn between two 5510 asa's. Phase 1 completes and then i get an error "crypto map policy not found" I've verified that the crypto map is in both configs and that they match, but it doesn't seem to want to negotiate the sa's. This tunnel was up and running a couple of weeks ago, then a requirment came in for me to add remote access vpn capablitiy to one of the asa's. Also, orginally was getting an NO SPI to identify Phase 2 SA, think i may have resolved that one, but wanted to give as much info as i can.

I've attached both asa configs.

Any help is greatly appreciated!


Watch Question


sysopt connection permit-vpn
( at both end of asa)

then try
clear ipsec sa
clear isakmp sa

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

In asa #1 your peer address is pointing at itself:

crypto map uk_map 1 set peer

this is your ip address of your outside interface:

interface Ethernet0/1
 nameif outside
 security-level 0
 ip address

the above cryptomap statement ip should be pointing at pix#2

forgot to add you will want to run the commands also that ricks v stated (this clears out incorrect security associations

they have correct peer addresses:
ASA1 config:
crypto map outside_map 10 set peer

ASA2 config:
crypto map uk_map 1 set peer

no changes needs to be made for peer/ interface address..

btw, hope is not the real address.
note: always hide the internet address when posting config..

you are right, I was copying the cryptomap configs in notepad file to compare them on each peer to check for mismatches

what about for starters resetting shared keys on both asa's  - this will cause phase I failure


Thanks guys for the responses!

No luck, ran the commands that you suggested ricks v, didn't establish the tunnel.

Attached is the debug logging

Take this out from asa2 "access-list l2l_VPN_UK extended permit icmp any any", which has no match on other end. see what will happen.


Actually, It worked!

Thanks ricks v, i had a routing issue turns out, but need the commands anyway.

thanks guys for all your help!


Again, thx for you help!

Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.