06-08-2010 09:23 AM
I have a Cisco ASA 5505 that has a tunnel to a remote office. I just set up another tunnel identically to another office and when I monitor the VPN in ASDM I can see that the VPN is active. But I can't ping through it. When I check the logs I see "IKE initiator unable to find Policy; Intf Outside, Src:..." Does anyone know what could be causing this? Below is a copy of the config. Thanks.
bdavpn1# show config
: Saved
: Written by admin at 17:54:11.823 ADT Mon Jun 7 2010
!
ASA Version 8.2(2)
!
hostname bdavpn1
domain-name domain.com
enable password OSaXLnYQKkAcBhYA encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.100 255.255.255.0 standby 192.168.2.101
!
interface Vlan2
nameif outside
security-level 0
ip address 101.17.205.116 255.255.255.1018 standby 101.17.205.117
!
interface Vlan3
nameif dmz
security-level 50
ip address 172.20.0.1 255.255.255.0 standby 172.20.0.3
!
interface Vlan4
description LAN Failover Interface
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 91
!
interface Ethernet0/3
switchport access vlan 3
!
interface Ethernet0/4
switchport access vlan 3
!
interface Ethernet0/5
switchport access vlan 4
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone AST -4
clock summer-time ADT recurring
dns domain-lookup dmz
dns server-group DefaultDNS
name-server 172.20.0.99
domain-name domain.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network Chicago-Nets
network-object 10.150.1.0 255.255.255.0
network-object 10.150.55.0 255.255.255.0
network-object 10.150.56.0 255.255.255.0
network-object 10.150.57.0 255.255.255.0
network-object 172.16.1.0 255.255.255.0
network-object 192.168.26.0 255.255.255.0
network-object 10.150.111.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
network-object 192.168.4.0 255.255.255.0
group-object Chicago-Nets
object-group network DM_INLINE_NETWORK_1
network-object 192.168.4.0 255.255.255.0
group-object Chicago-Nets
object-group network DM_INLINE_NETWORK_3
network-object 172.20.0.0 255.255.255.0
network-object 192.168.2.0 255.255.255.0
object-group network DM_INLINE_NETWORK_4
network-object 172.20.0.0 255.255.255.0
network-object 192.168.2.0 255.255.255.0
access-list outside_cryptomap extended permit ip 192.168.2.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 object-group DM_INLINE_NETWORK_2
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 172.20.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_3 192.168.4.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_4 192.168.4.0 255.255.255.0
access-list outside_to_dmz remark Allow access to citrix server
access-list outside_to_dmz extended permit tcp any host 101.17.205.123 eq https log
access-list dmz_to_inside extended permit ip host 172.20.0.2 192.168.2.0 255.255.255.0 log
access-list outside_access_in remark Citrix Incoming
access-list outside_access_in extended permit tcp any host 101.17.205.123 eq https
access-list outside_2_cryptomap extended permit ip object-group DM_INLINE_NETWORK_4 192.168.4.0 255.255.255.0
pager lines 101
logging enable
logging timestamp
logging standby
logging buffered informational
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip verify reverse-path interface outside
failover
failover lan unit primary
failover lan interface failover Vlan4
failover interface ip failover 172.16.30.1 255.255.255.252 standby 172.16.30.2
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz) 2 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (dmz,outside) 101.17.205.123 172.20.0.2 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group dmz_to_inside in interface dmz
route outside 0.0.0.0 0.0.0.0 101.17.205.115 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
http redirect outside 80
snmp-server host inside 10.150.1.177 poll community ***** version 2c
snmp-server host inside 10.150.2.38 poll community ***** version 2c
snmp-server location Hamilton, Bermuda
snmp-server contact Rene Bouchard
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
inside
http redirect outside 80
snmp-server host inside 10.150.1.177 poll community ***** version 2c
snmp-server host inside 10.150.2.38 poll community ***** version 2c
snmp-server location Hamilton, Bermuda
snmp-server contact Rene Bouchard
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map3 1 match address outside_cryptomap
crypto map outside_map3 1 set peer 101.88.182.189
crypto map outside_map3 1 set transform-set ESP-3DES-SHA
crypto map outside_map3 2 match address outside_2_cryptomap
crypto map outside_map3 2 set peer 101.1.95.253
crypto map outside_map3 2 set transform-set ESP-3DES-SHA
crypto map outside_map3 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map3 interface outside
crypto ca trustpoint bdavpn1
enrollment terminal
fqdn bdavpn1.domain.bm
subject-name CN=bdavpn1.domain.bm,OU=Ltd,O=domain,C=US,St=of_confusion,L=Hamilton,EA=platwood@domain.com
crl configure
crypto ca certificate map domainincCertificateMap 10
subject-name attr cn eq sslvpn.domain.com
crypto ca certificate chain bdavpn1
certificate ca 00
30820267 308201d0 a0030201 02020100 300d0609 2a864886 f70d0101 04050030
32310b30 09060355 04061302 5553310d 300b0603 55040a13 04414c41 53311430
12060355 0403130b 63612e61 6c61732e 636f6d30 1e170d39 35303130 31303630
3131395a 170d3335 30313031 30363031 31395a30 32310b30 09060355 04061302
5553310d 300b0603 55040a13 04414c41 53311430 12060355 0403130b 63612e61
6c61732e 636f6d30 819f300d 06092a86 4886f70d 01010105 0003818d 00308189
02818100 c19012ed 4cf67378 c9347162 2bcf6519 a3ab748f 1c9cae07 5c232c93
d559ccf8 8a625638 68416412 55808768 412675bc 5906ba4a 3ffd1d101 303d0ea7
0d425ffc edf1cee8 337ca5c7 5f718f2d 081551f8 fc742b78 8866de9b c82310b0
89975e30 7ea7f047 bf518ac3 aa2dfd7e f93b1016 7d5261ea 34f18fa7 748d52c8
7595ecb3 02030100 01a3818c 30818930 1d060355 1d0e0416 0414c1ab b8651761
fc3f12d1 b132322e be36ff6a cecb305a 0603551d 23045330 518014c1 abb86517
61fc3f12 d1b13232 2ebe36ff 6acecba1 36a43430 32310b30 09060355 04061302
5553310d 300b0603 55040a13 04414c41 53311430 12060355 0403130b 63612e61
6c61732e 636f6d82 0100300c 0603551d 13040530 030101ff 300d0609 2a864886
f70d0101 04050003 818100ad 1d558eab 05d50f7b b656e2c4 213a9ac3 1cecee73
0251f931 0b47e84f f3c0847e b2168562 d27330b3 72c8023f b83aeb4a 2db8fbf7
f4575c8e 792380b9 c56300aa 6d5b0fd3 092e7747 76d76286 26e81b3e 4ca35b71
ca480932 c58a8ee6 2fa62a73 aa1d209d 68662c59 0b8a71f1 c2db0cbb 5aefc8c5
bedcbda7 caf46f0c b01def
quit
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
crypto isakmp ipsec-over-tcp port 10000
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 120
ssh scopy enable
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 192.168.2.116 source inside prefer
ntp server 192.168.2.117 source inside
ssl trust-point bdavpn1 outside
webvpn
enable outside
svc enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
username LtdAdmin password XRlF3jA1k3JEhNgr encrypted privilege 15
username domainadmin password E1zLpTPUtBADN9og encrypted privilege 15
tunnel-group sslvpn.domain.com type ipsec-l2l
tunnel-group sslvpn.domain.com ipsec-attributes
peer-id-validate cert
trust-point bdavpn1
tunnel-group 101.88.182.189 type ipsec-l2l
tunnel-group 101.88.182.189 ipsec-attributes
pre-shared-key *
tunnel-group 101.1.95.253 type ipsec-l2l
tunnel-group 101.1.95.253 ipsec-attributes
pre-shared-key *
tunnel-group-map enable rules
tunnel-group-map domainincCertificateMap 10 sslvpn.domain.com
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 10101
id-randomization
id-mismatch action log
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect icmp error
inspect ipsec-pass-thru
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:a23ada0366576d96bd5c343645521107
Solved! Go to Solution.
06-08-2010 09:32 AM
Scott,
When you check the status of both tunnels from the CLI, check the following:
sh cry isa sa --> shows as Active or QM_IDLE
sh cry ips sa --> shows packets encrypted/decrypted
If the second tunnel does not come up properly, we need to check that the policies match on both ends of the tunnel.
If this second tunnel does come up but does not pass traffic, we might have a routing or NAT issue.
Federico.
06-08-2010 09:32 AM
Scott,
When you check the status of both tunnels from the CLI, check the following:
sh cry isa sa --> shows as Active or QM_IDLE
sh cry ips sa --> shows packets encrypted/decrypted
If the second tunnel does not come up properly, we need to check that the policies match on both ends of the tunnel.
If this second tunnel does come up but does not pass traffic, we might have a routing or NAT issue.
Federico.
06-08-2010 10:17 AM
Thanks Frederico.
This is what I'm getting. The 2nd VPN is the one in question. It appears to be up. Could it be a routing issue? I only have a default route on this firewall.
bdavpn1# sh cry isa sa
Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2
1 IKE Peer: 101.88.182.189
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
2 IKE Peer: 101.1.95.253
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
06-08-2010 10:20 AM
Ok, phase 1 shows up for both tunnels.
What about phase 2 for this second tunnel?
sh cry ips sa
Federico.
06-08-2010 12:43 PM
It looks like it was a NAT or route issue. I changed the IP scheme on the other end and it's working now.
Thanks for your help.
06-08-2010 12:57 PM
Thank you for letting me know Scott.
Federico.
07-31-2013 07:26 AM
Hi Scott,
i am running into same problem,
my dynamic tunnel is showing UP but when i ping remote lan it is getting error:
%ASA-3-713042: IKE Initiator unable to find policy: Intf
please find the below output from command
tunel status
ciscoasa# show isakmp sa
Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2
1 IKE Peer: 159.148.115.132
Type : L2L Role : responder
Rekey : no State : AM_ACTIVE
2 IKE Peer: 117.219.148.69
Type : L2L Role : responder
Rekey : no State : AM_ACTIVE
ciscoasa#
Session Type: LAN-to-LAN
Connection : 159.148.115.132 (this is static configured VPN it has no any problem)
Index : 44 IP Addr : 159.148.115.132
Protocol : IKE
Encryption : 3DES Hashing : SHA1
Bytes Tx : 0 Bytes Rx : 0
Login Time : 11:16:07 UTC Wed Jul 31 2013
Duration : 0h:26m:21s
Connection : ckgs-indr
Index : 45 IP Addr : 117.219.148.69 (this is dynamicaly configured it has problem)
Protocol : IKE
Encryption : 3DES Hashing : SHA1
Bytes Tx : 0 Bytes Rx : 0
Login Time : 11:32:15 UTC Wed Jul 31 2013
Duration : 0h:10m:13s
ciscoasa#
suhas B.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: