IKE Initiator unable to find policy: Intfc inside

Unanswered Question
Apr 30th, 2012

I am testing VPN tunnels in a lab. I have the following (simple) setup:

  -one ASA5505 has an "inside" interface with address 192.16.99.40/24 and an "outside" interface with address 205.192.0.2/24

  -one computer with address 192.16.99.1/24 ("Client") is connected to the "inside" interface

  -one ASA5510 has an "inside" interface with address 192.0.99.40/24 and an "outside" interface with address 205.192.0.1/24

  -one computer with address 192.0.99.1/24 ("Server") is connected to the "inside" interface

  -both "outside" interfaces are connected through a layer 2 switch

I had a VPN tunnel between them using "Main mode", and that worked without a problem.

But in my target system, the ASA5505 will be connected to a router with a dynamic IP address, and so I need to use "Aggressive mode", where the ASA5510 will have a static address on the "outside" interface. The ASA5505 will therefore initiate the VPN session.

I am using the ASDM, by the way.

I have the VPN tunnel established, but I am unable to ping from either side.

When I ping the Server from the Client, the ASA5505 gives me the expected "Built/Teardown ICMP connection...", but the ASA5510 says "IKE Initiator unable to find policy: Intf inside, Src: 192.0.99.1, Dst: 192.16.99.1". So the ping makes it to the Server, but the reply can't find its way back out.

When I ping the client from the Server, I get the same message on the ASA5510: "IKE Initiator unable to find policy: Intfc inside, Src: 192.0.99.1, Dst: 192.16.99.1".

I attach the configuration on the ASA5510.

I checked similar posts, but the root problem seemed to be different.

Any help is welcome.

thanks,

Pedro

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
suhas_syndrome Wed, 07/31/2013 - 07:14

Hi Mohammad,

  I am running into the same problem.

My ASA on HUB location & 3 spoke end fortigate. i have configured one static site-to-site vpn that is working fine but another two are dynamic vpn tunnel one is showing up and another is not

iam getting error

%ASA-3-713042: IKE Initiator unable to find policy: Intf

interface_number, Src: source_address, Dst: dest_address

i have shre below output & running configuration.

tunel status

ciscoasa# show isakmp sa

   Active SA: 2

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 2

1   IKE Peer: 159.148.115.132

    Type    : L2L             Role    : responder

    Rekey   : no              State   : AM_ACTIVE

2   IKE Peer: 117.219.148.69

    Type    : L2L             Role    : responder

    Rekey   : no              State   : AM_ACTIVE

ciscoasa#

Session Type: LAN-to-LAN

Connection   : 159.148.115.132

Index        : 44                     IP Addr      : 159.148.115.132

Protocol     : IKE

Encryption   : 3DES                   Hashing      : SHA1

Bytes Tx     : 0                      Bytes Rx     : 0

Login Time   : 11:16:07 UTC Wed Jul 31 2013

Duration     : 0h:26m:21s

Connection   : ckgs-indr

Index        : 45                     IP Addr      : 117.219.148.69

Protocol     : IKE

Encryption   : 3DES                   Hashing      : SHA1

Bytes Tx     : 0                      Bytes Rx     : 0

Login Time   : 11:32:15 UTC Wed Jul 31 2013

Duration     : 0h:10m:13s

ciscoasa#

*************config*******************

Result of the command: "sho run"

: Saved

:

ASA Version 8.2(4)

!

hostname ciscoasa

enable password 2KFQnbNIdI.2KYOU encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 10.71.11.0 VPN_Add

name 10.96.11.0 lan_10.96.11.0

name 10.19.1.0 vpn_pool

name 10.132.6.0 SWED

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 115.114.107.11 255.255.255.248

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.21.5.240 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

boot system disk0:/asa824-k8.bin

ftp mode passive

dns domain-lookup outside

dns domain-lookup inside

object-group network DM_INLINE_NETWORK_1

network-object VPN_Add 255.255.255.0

network-object lan_10.96.11.0 255.255.255.0

access-list outside_cryptomap_65535.1 extended permit ip 10.21.0.0 255.255.0.0 object-group DM_INLINE_NETWORK_1

access-list inside_nat0_outbound extended permit ip 10.21.0.0 255.255.0.0 VPN_Add 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.21.0.0 255.255.0.0 lan_10.96.11.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.21.0.0 255.255.0.0 host vpn_pool

access-list inside_nat0_outbound extended permit ip 10.21.5.0 255.255.255.0 vpn_pool 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.21.0.0 255.255.0.0 SWED 255.255.255.0

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit ip 10.21.0.0 255.255.0.0 any

access-list cnk standard permit 10.21.0.0 255.255.0.0

access-list outside_access_in extended permit icmp any any

access-list outside_nat0_outbound extended permit ip VPN_Add 255.255.255.0 lan_10.96.11.0 255.255.255.0

access-list outside_nat0_outbound extended permit ip lan_10.96.11.0 255.255.255.0 VPN_Add 255.255.255.0

access-list ipsce_vpn_splitTunnelAcl standard permit 10.21.5.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 10.21.0.0 255.255.0.0 SWED 255.255.255.0

access-list smart-tunnel webtype permit tcp 10.21.0.0 255.255.0.0 eq telnet log default

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

ip local pool vpn_cnk_ssl 10.19.1.1-10.19.1.254 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-641.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 10.21.0.0 255.255.0.0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 115.114.107.9 1

route inside 10.21.0.0 255.255.0.0 10.21.5.6 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 0.0.0.0 0.0.0.0 inside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 1 match address outside_cryptomap_65535.1

crypto dynamic-map outside_dyn_map 1 set transform-set ESP-3DES-SHA

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer 159.148.115.132

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 65534 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 28800

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable outside

svc image disk0:/anyconnect-win-3.1.03103-k9.pkg 2

svc image disk0:/anyconnect-macosx-i386-3.1.03103-k9.pkg 3

svc enable

tunnel-group-list enable

smart-tunnel list server 1 telnet platform windows

smart-tunnel list server 1 tcp/telnet platform windows

smart-tunnel auto-signon serverlist ip 10.21.5.0 255.255.255.0

group-policy DfltGrpPolicy attributes

group-policy GroupPolicy_static internal

group-policy GroupPolicy_static attributes

vpn-idle-timeout 30

vpn-filter none

vpn-tunnel-protocol IPSec l2tp-ipsec webvpn

group-policy GroupPolicy1 internal

group-policy GroupPolicy1 attributes

vpn-tunnel-protocol IPSec l2tp-ipsec

group-policy ipsce_vpn internal

group-policy ipsce_vpn attributes

dns-server value 8.8.8.8 4.2.2.2

vpn-tunnel-protocol IPSec svc

split-tunnel-policy tunnelspecified

split-tunnel-network-list value ipsce_vpn_splitTunnelAcl

group-policy cnk_ssl internal

group-policy cnk_ssl attributes

dns-server value 8.8.8.8 4.2.2.2

vpn-tunnel-protocol svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value cnk

default-domain none

webvpn

  filter value smart-tunnel

  smart-tunnel auto-start server

username user1 password Ttlh3sZkia0/P8q. encrypted privilege 15

username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15

tunnel-group ckgs_goa type ipsec-l2l

tunnel-group ckgs_goa ipsec-attributes

pre-shared-key *****

tunnel-group ckgs-indr type ipsec-l2l

tunnel-group ckgs-indr ipsec-attributes

pre-shared-key *****

tunnel-group cnk_ssl type remote-access

tunnel-group cnk_ssl general-attributes

address-pool vpn_cnk_ssl

default-group-policy cnk_ssl

tunnel-group cnk_ssl webvpn-attributes

group-alias cnk_ssl enable

group-url https://115.114.107.11/cnk_ssl enable

tunnel-group ipsce_vpn type remote-access

tunnel-group ipsce_vpn general-attributes

address-pool vpn_cnk_ssl

default-group-policy ipsce_vpn

tunnel-group ipsce_vpn ipsec-attributes

pre-shared-key *****

tunnel-group 159.148.115.132 type ipsec-l2l

tunnel-group 159.148.115.132 general-attributes

default-group-policy GroupPolicy_static

tunnel-group 159.148.115.132 ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

  inspect icmp

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:692294c06b6a801bba4af60af33b8fe4

: end

SuhasB.

tim.knipper Tue, 05/15/2012 - 10:03

I just ran into an issue with the same message.  My problem was that there was another tunnel setup with the same remote end IP address.  So there were two tunnels with the same destination subnet on two separate crypto maps and the firewall didn't know which tunnel to send them across.

Actions

Login or Register to take actions

This Discussion

Posted April 30, 2012 at 1:37 PM
Stats:
Replies:3 Avg. Rating:
Views:1912 Votes:0
Shares:0

Related Content

Discussions Leaderboard