Hi Mohammad,

  I am running into the same problem.

My ASA on HUB location & 3 spoke end fortigate. i have configured one static site-to-site vpn that is working fine but another two are dynamic vpn tunnel one is showing up and another is not

iam getting error

%ASA-3-713042: IKE Initiator unable to find policy: Intf

interface_number, Src: source_address, Dst: dest_address

i have shre below output & running configuration.

tunel status

ciscoasa# show isakmp sa

   Active SA: 2

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 2

1   IKE Peer: 159.148.115.132

    Type    : L2L             Role    : responder

    Rekey   : no              State   : AM_ACTIVE

2   IKE Peer: 117.219.148.69

    Type    : L2L             Role    : responder

    Rekey   : no              State   : AM_ACTIVE

ciscoasa#

Session Type: LAN-to-LAN

Connection   : 159.148.115.132

Index        : 44                     IP Addr      : 159.148.115.132

Protocol     : IKE

Encryption   : 3DES                   Hashing      : SHA1

Bytes Tx     : 0                      Bytes Rx     : 0

Login Time   : 11:16:07 UTC Wed Jul 31 2013

Duration     : 0h:26m:21s

Connection   : ckgs-indr

Index        : 45                     IP Addr      : 117.219.148.69

Protocol     : IKE

Encryption   : 3DES                   Hashing      : SHA1

Bytes Tx     : 0                      Bytes Rx     : 0

Login Time   : 11:32:15 UTC Wed Jul 31 2013

Duration     : 0h:10m:13s

ciscoasa#

*************config*******************

Result of the command: "sho run"

: Saved

:

ASA Version 8.2(4)

!

hostname ciscoasa

enable password 2KFQnbNIdI.2KYOU encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 10.71.11.0 VPN_Add

name 10.96.11.0 lan_10.96.11.0

name 10.19.1.0 vpn_pool

name 10.132.6.0 SWED

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 115.114.107.11 255.255.255.248

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.21.5.240 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

boot system disk0:/asa824-k8.bin

ftp mode passive

dns domain-lookup outside

dns domain-lookup inside

object-group network DM_INLINE_NETWORK_1

network-object VPN_Add 255.255.255.0

network-object lan_10.96.11.0 255.255.255.0

access-list outside_cryptomap_65535.1 extended permit ip 10.21.0.0 255.255.0.0 object-group DM_INLINE_NETWORK_1

access-list inside_nat0_outbound extended permit ip 10.21.0.0 255.255.0.0 VPN_Add 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.21.0.0 255.255.0.0 lan_10.96.11.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.21.0.0 255.255.0.0 host vpn_pool

access-list inside_nat0_outbound extended permit ip 10.21.5.0 255.255.255.0 vpn_pool 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.21.0.0 255.255.0.0 SWED 255.255.255.0

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit ip 10.21.0.0 255.255.0.0 any

access-list cnk standard permit 10.21.0.0 255.255.0.0

access-list outside_access_in extended permit icmp any any

access-list outside_nat0_outbound extended permit ip VPN_Add 255.255.255.0 lan_10.96.11.0 255.255.255.0

access-list outside_nat0_outbound extended permit ip lan_10.96.11.0 255.255.255.0 VPN_Add 255.255.255.0

access-list ipsce_vpn_splitTunnelAcl standard permit 10.21.5.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 10.21.0.0 255.255.0.0 SWED 255.255.255.0

access-list smart-tunnel webtype permit tcp 10.21.0.0 255.255.0.0 eq telnet log default

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

ip local pool vpn_cnk_ssl 10.19.1.1-10.19.1.254 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-641.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 10.21.0.0 255.255.0.0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 115.114.107.9 1

route inside 10.21.0.0 255.255.0.0 10.21.5.6 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 0.0.0.0 0.0.0.0 inside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 1 match address outside_cryptomap_65535.1

crypto dynamic-map outside_dyn_map 1 set transform-set ESP-3DES-SHA

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer 159.148.115.132

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 65534 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 28800

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable outside

svc image disk0:/anyconnect-win-3.1.03103-k9.pkg 2

svc image disk0:/anyconnect-macosx-i386-3.1.03103-k9.pkg 3

svc enable

tunnel-group-list enable

smart-tunnel list server 1 telnet platform windows

smart-tunnel list server 1 tcp/telnet platform windows

smart-tunnel auto-signon serverlist ip 10.21.5.0 255.255.255.0

group-policy DfltGrpPolicy attributes

group-policy GroupPolicy_static internal

group-policy GroupPolicy_static attributes

vpn-idle-timeout 30

vpn-filter none

vpn-tunnel-protocol IPSec l2tp-ipsec webvpn

group-policy GroupPolicy1 internal

group-policy GroupPolicy1 attributes

vpn-tunnel-protocol IPSec l2tp-ipsec

group-policy ipsce_vpn internal

group-policy ipsce_vpn attributes

dns-server value 8.8.8.8 4.2.2.2

vpn-tunnel-protocol IPSec svc

split-tunnel-policy tunnelspecified

split-tunnel-network-list value ipsce_vpn_splitTunnelAcl

group-policy cnk_ssl internal

group-policy cnk_ssl attributes

dns-server value 8.8.8.8 4.2.2.2

vpn-tunnel-protocol svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value cnk

default-domain none

webvpn

  filter value smart-tunnel

  smart-tunnel auto-start server

username user1 password Ttlh3sZkia0/P8q. encrypted privilege 15

username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15

tunnel-group ckgs_goa type ipsec-l2l

tunnel-group ckgs_goa ipsec-attributes

pre-shared-key *****

tunnel-group ckgs-indr type ipsec-l2l

tunnel-group ckgs-indr ipsec-attributes

pre-shared-key *****

tunnel-group cnk_ssl type remote-access

tunnel-group cnk_ssl general-attributes

address-pool vpn_cnk_ssl

default-group-policy cnk_ssl

tunnel-group cnk_ssl webvpn-attributes

group-alias cnk_ssl enable

group-url https://115.114.107.11/cnk_ssl enable

tunnel-group ipsce_vpn type remote-access

tunnel-group ipsce_vpn general-attributes

address-pool vpn_cnk_ssl

default-group-policy ipsce_vpn

tunnel-group ipsce_vpn ipsec-attributes

pre-shared-key *****

tunnel-group 159.148.115.132 type ipsec-l2l

tunnel-group 159.148.115.132 general-attributes

default-group-policy GroupPolicy_static

tunnel-group 159.148.115.132 ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

  inspect icmp

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:692294c06b6a801bba4af60af33b8fe4

: end

SuhasB.