IKE initiator unable to find Policy; Intf Outside, Src: Error

Answered Question
Jun 8th, 2010

I have a Cisco ASA 5505 that has a tunnel to a remote office. I just set up another tunnel identically to another office and when I monitor the VPN in ASDM I can see that the VPN is active. But I can't ping through it. When I check the logs I see "IKE initiator unable to find Policy; Intf Outside, Src:..." Does anyone know what could be causing this? Below is a copy of the config. Thanks.

bdavpn1# show config
: Saved
: Written by admin at 17:54:11.823 ADT Mon Jun 7 2010
!
ASA Version 8.2(2)
!
hostname bdavpn1
domain-name domain.com
enable password OSaXLnYQKkAcBhYA encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.100 255.255.255.0 standby 192.168.2.101
!
interface Vlan2
nameif outside
security-level 0
ip address 101.17.205.116 255.255.255.1018 standby 101.17.205.117
!
interface Vlan3
nameif dmz
security-level 50
ip address 172.20.0.1 255.255.255.0 standby 172.20.0.3
!
interface Vlan4
description LAN Failover Interface
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 91
!
interface Ethernet0/3
switchport access vlan 3
!
interface Ethernet0/4
switchport access vlan 3
!
interface Ethernet0/5
switchport access vlan 4
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone AST -4
clock summer-time ADT recurring
dns domain-lookup dmz
dns server-group DefaultDNS
name-server 172.20.0.99
domain-name domain.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network Chicago-Nets
network-object 10.150.1.0 255.255.255.0
network-object 10.150.55.0 255.255.255.0
network-object 10.150.56.0 255.255.255.0
network-object 10.150.57.0 255.255.255.0
network-object 172.16.1.0 255.255.255.0
network-object 192.168.26.0 255.255.255.0
network-object 10.150.111.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
network-object 192.168.4.0 255.255.255.0
group-object Chicago-Nets
object-group network DM_INLINE_NETWORK_1
network-object 192.168.4.0 255.255.255.0
group-object Chicago-Nets
object-group network DM_INLINE_NETWORK_3
network-object 172.20.0.0 255.255.255.0
network-object 192.168.2.0 255.255.255.0
object-group network DM_INLINE_NETWORK_4
network-object 172.20.0.0 255.255.255.0
network-object 192.168.2.0 255.255.255.0
access-list outside_cryptomap extended permit ip 192.168.2.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 object-group DM_INLINE_NETWORK_2
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 172.20.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_3 192.168.4.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_4 192.168.4.0 255.255.255.0
access-list outside_to_dmz remark Allow access to citrix server
access-list outside_to_dmz extended permit tcp any host 101.17.205.123 eq https log
access-list dmz_to_inside extended permit ip host 172.20.0.2 192.168.2.0 255.255.255.0 log
access-list outside_access_in remark Citrix Incoming
access-list outside_access_in extended permit tcp any host 101.17.205.123 eq https
access-list outside_2_cryptomap extended permit ip object-group DM_INLINE_NETWORK_4 192.168.4.0 255.255.255.0
pager lines 101
logging enable
logging timestamp
logging standby
logging buffered informational
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip verify reverse-path interface outside
failover
failover lan unit primary
failover lan interface failover Vlan4
failover interface ip failover 172.16.30.1 255.255.255.252 standby 172.16.30.2
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz) 2 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (dmz,outside) 101.17.205.123 172.20.0.2 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group dmz_to_inside in interface dmz
route outside 0.0.0.0 0.0.0.0 101.17.205.115 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
http redirect outside 80
snmp-server host inside 10.150.1.177 poll community ***** version 2c
snmp-server host inside 10.150.2.38 poll community ***** version 2c
snmp-server location Hamilton, Bermuda
snmp-server contact Rene Bouchard
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
inside
http redirect outside 80
snmp-server host inside 10.150.1.177 poll community ***** version 2c
snmp-server host inside 10.150.2.38 poll community ***** version 2c
snmp-server location Hamilton, Bermuda
snmp-server contact Rene Bouchard
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map3 1 match address outside_cryptomap
crypto map outside_map3 1 set peer 101.88.182.189
crypto map outside_map3 1 set transform-set ESP-3DES-SHA
crypto map outside_map3 2 match address outside_2_cryptomap
crypto map outside_map3 2 set peer 101.1.95.253
crypto map outside_map3 2 set transform-set ESP-3DES-SHA
crypto map outside_map3 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map3 interface outside
crypto ca trustpoint bdavpn1
enrollment terminal
fqdn bdavpn1.domain.bm
subject-name CN=bdavpn1.domain.bm,OU=Ltd,O=domain,C=US,St=of_confusion,L=Hamilton,EA=platwood@domain.com
crl configure
crypto ca certificate map domainincCertificateMap 10
subject-name attr cn eq sslvpn.domain.com
crypto ca certificate chain bdavpn1
certificate ca 00
    30820267 308201d0 a0030201 02020100 300d0609 2a864886 f70d0101 04050030
    32310b30 09060355 04061302 5553310d 300b0603 55040a13 04414c41 53311430
    12060355 0403130b 63612e61 6c61732e 636f6d30 1e170d39 35303130 31303630
    3131395a 170d3335 30313031 30363031 31395a30 32310b30 09060355 04061302
    5553310d 300b0603 55040a13 04414c41 53311430 12060355 0403130b 63612e61
    6c61732e 636f6d30 819f300d 06092a86 4886f70d 01010105 0003818d 00308189
    02818100 c19012ed 4cf67378 c9347162 2bcf6519 a3ab748f 1c9cae07 5c232c93
    d559ccf8 8a625638 68416412 55808768 412675bc 5906ba4a 3ffd1d101 303d0ea7
    0d425ffc edf1cee8 337ca5c7 5f718f2d 081551f8 fc742b78 8866de9b c82310b0
    89975e30 7ea7f047 bf518ac3 aa2dfd7e f93b1016 7d5261ea 34f18fa7 748d52c8
    7595ecb3 02030100 01a3818c 30818930 1d060355 1d0e0416 0414c1ab b8651761
    fc3f12d1 b132322e be36ff6a cecb305a 0603551d 23045330 518014c1 abb86517
    61fc3f12 d1b13232 2ebe36ff 6acecba1 36a43430 32310b30 09060355 04061302
    5553310d 300b0603 55040a13 04414c41 53311430 12060355 0403130b 63612e61
    6c61732e 636f6d82 0100300c 0603551d 13040530 030101ff 300d0609 2a864886
    f70d0101 04050003 818100ad 1d558eab 05d50f7b b656e2c4 213a9ac3 1cecee73
    0251f931 0b47e84f f3c0847e b2168562 d27330b3 72c8023f b83aeb4a 2db8fbf7
    f4575c8e 792380b9 c56300aa 6d5b0fd3 092e7747 76d76286 26e81b3e 4ca35b71
    ca480932 c58a8ee6 2fa62a73 aa1d209d 68662c59 0b8a71f1 c2db0cbb 5aefc8c5
    bedcbda7 caf46f0c b01def
  quit
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
crypto isakmp ipsec-over-tcp port 10000
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 120
ssh scopy enable
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
management-access inside

threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 192.168.2.116 source inside prefer
ntp server 192.168.2.117 source inside
ssl trust-point bdavpn1 outside
webvpn
enable outside
svc enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
username LtdAdmin password XRlF3jA1k3JEhNgr encrypted privilege 15
username domainadmin password E1zLpTPUtBADN9og encrypted privilege 15
tunnel-group sslvpn.domain.com type ipsec-l2l
tunnel-group sslvpn.domain.com ipsec-attributes
peer-id-validate cert
trust-point bdavpn1
tunnel-group 101.88.182.189 type ipsec-l2l
tunnel-group 101.88.182.189 ipsec-attributes
pre-shared-key *
tunnel-group 101.1.95.253 type ipsec-l2l
tunnel-group 101.1.95.253 ipsec-attributes
pre-shared-key *
tunnel-group-map enable rules
tunnel-group-map domainincCertificateMap 10 sslvpn.domain.com
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 10101
  id-randomization
  id-mismatch action log
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
  inspect icmp error
  inspect ipsec-pass-thru
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:a23ada0366576d96bd5c343645521107

I have this problem too.
0 votes
Correct Answer by coto.fusionet about 3 years 10 months ago

Scott,

When you check the status of both tunnels from the CLI, check the following:

sh cry isa sa --> shows as Active or QM_IDLE

sh cry ips sa --> shows packets encrypted/decrypted

If the second tunnel does not come up properly, we need to check that the policies match on both ends of the tunnel.

If this second tunnel does come up but does not pass traffic, we might have a routing or NAT issue.

Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
Correct Answer
coto.fusionet Tue, 06/08/2010 - 09:32

Scott,

When you check the status of both tunnels from the CLI, check the following:

sh cry isa sa --> shows as Active or QM_IDLE

sh cry ips sa --> shows packets encrypted/decrypted

If the second tunnel does not come up properly, we need to check that the policies match on both ends of the tunnel.

If this second tunnel does come up but does not pass traffic, we might have a routing or NAT issue.

Federico.

scottpazelt Tue, 06/08/2010 - 10:17

Thanks Frederico.

This is what I'm getting. The 2nd VPN is the one in question. It appears to be up. Could it be a routing issue? I only have a default route on this firewall.

bdavpn1# sh cry isa sa

   Active SA: 2
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2

1   IKE Peer: 101.88.182.189
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE
2   IKE Peer: 101.1.95.253
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE

coto.fusionet Tue, 06/08/2010 - 10:20

Ok, phase 1 shows up for both tunnels.

What about phase 2 for this second tunnel?

sh cry ips sa

Federico.

scottpazelt Tue, 06/08/2010 - 12:43

It looks like it was a NAT or route issue. I changed the IP scheme on the other end and it's working now.

Thanks for your help.

suhas_syndrome Wed, 07/31/2013 - 07:26

Hi Scott,

  i am running into same problem,

my dynamic tunnel is showing UP but when i ping remote lan it is getting error:

%ASA-3-713042: IKE Initiator unable to find policy: Intf

please find the below output from command

tunel status

ciscoasa# show isakmp sa

   Active SA: 2

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 2

1   IKE Peer: 159.148.115.132

    Type    : L2L             Role    : responder

    Rekey   : no              State   : AM_ACTIVE

2   IKE Peer: 117.219.148.69

    Type    : L2L             Role    : responder

    Rekey   : no              State   : AM_ACTIVE

ciscoasa#

Session Type: LAN-to-LAN

Connection   : 159.148.115.132   (this is static configured VPN it has no any problem)

Index        : 44                     IP Addr      : 159.148.115.132

Protocol     : IKE

Encryption   : 3DES                   Hashing      : SHA1

Bytes Tx     : 0                      Bytes Rx     : 0

Login Time   : 11:16:07 UTC Wed Jul 31 2013

Duration     : 0h:26m:21s

Connection   : ckgs-indr

Index        : 45                     IP Addr      : 117.219.148.69   (this is dynamicaly configured it has problem)

Protocol     : IKE

Encryption   : 3DES                   Hashing      : SHA1

Bytes Tx     : 0                      Bytes Rx     : 0

Login Time   : 11:32:15 UTC Wed Jul 31 2013

Duration     : 0h:10m:13s

ciscoasa#

suhas B.

Actions

Login or Register to take actions

This Discussion

Posted June 8, 2010 at 9:23 AM
Stats:
Replies:6 Avg. Rating:5
Views:14142 Votes:0
Shares:0

Related Content

Discussions Leaderboard