[c-nsp] lan-to-lan pix-vpn3k unidirectional problem

[Andrew Yourtchenko]

>not able to bring it up - I get the error message in my debugs:
> "IPSEC(sa_initiate): ACL = deny; no sa created" ...???

I did see that a few times - but was never able to consistently 
reproduce it to file a bug. It was usually after some manipulations 
with the crypto maps. Reload, or remove/reapply of the crypto map to 
interface helped - and then noone cared afterwards. If we are able 
to reproduce this error together - we'll ensure we address it.

>
> We have verified phase 1 and 2 parameters, and it is not an acl 
>mismatch - those have been checked many times.  PSK's match, etc. - we 
>cannot find a discrepancy in the configs between the two firewalls. 
>Cisco has no answer either - the case has been open a week, and they are 
>back to asking for my configs and debug output.  Starting over at square 
> 1...
>

Could you please drop me the case#, I'll check and get back to you.


> After re-reading crypto pix command documetation, I notice a TIP 
>suggesting to clear the 'crypto map MYMAP interface outside' and then to 
>configure it again, I've done it, and after that (pinging from ny side) 
>the debug show some isakmp negotiation (but from the degub seems that is 
>the VPN3k to open the isakmp negotiation) that at lst fails.
>

Aha. Now it would be something different. Depends on what the debugs say 
this time. Drop me the number please, we'll continue in unicast.

thanks,
andrew