09-04-2014 05:07 AM
Hi guys!
I have problem with connection VPN Stie to Site, loses connection only this server specific.
i have to do log out the connection an ASA for This connection return
someone have idea?
Tks
09-04-2014 05:25 AM
Hi Paulo.
Could you send the config (only vpn portion) and a sh crypto ipsec sa peer ip_of_the_peer ?
Regards,
Pedro Lereno
09-04-2014 06:10 AM
Hi Pedro
The result follows:
# sh crypto ipsec sa peer xxx.xxx.xxx.xxx
peer address: xxx.xxx.xxx.xxx
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 192.1 68.150.4
local ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.2.0/255.255.255.0/0/0)
current_peer: xxx.xxx.xxx.xxx
#pkts encaps: 2474, #pkts encrypt: 2474, #pkts digest: 2474
#pkts decaps: 5403, #pkts decrypt: 5403, #pkts verify: 5403
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 2474, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 192.168.0.4/4500, remote crypto endpt.: xxx.xxx.xxx.xxx/4500
path mtu 1500, ipsec overhead 66, media mtu 1500
current outbound spi: 402C98DE
inbound esp sas:
spi: 0x713B7A3E (1899723326)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 2035712, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (kB/sec): (4373630/27532)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x402C98DE (1076664542)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 2035712, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (kB/sec): (4373778/27514)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 1, local addr: xxx.xxx.xxx.xxx
access-list outside_cryptomap permit ip xxx.xxx.xxx.xxx 255.255.255.0 xxx.xxx.xxx.xxx 255.255.255.0
local ident (addr/mask/prot/port): (xxx.xxx.xxx.xxx/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (xxx.xxx.xxxx.xxx/255.255.255.0/0/0)
current_peer: xxx.xxx.xxx.xxx
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: xxx.xxx.xxx.xxx/4500, remote crypto endpt.: xxx.xxx.xxx.xxx/4500
path mtu 1500, ipsec overhead 66, media mtu 1500
current outbound spi: 1AA9CBAF
inbound esp sas:
spi: 0xDABF84E9 (3669984489)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 2035712, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (kB/sec): (4374000/27521)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x1AA9CBAF (447335343)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 2035712, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (kB/sec): (4374000/27521)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
09-04-2014 07:50 AM
Hi,
As per your crypto output.... traffic between 192.168.0.0 to 192.168.2.0 works halfway...... some of them are not getting the return traffic...... the other line which you have hided out in output has nothing encrypted or decryped.... if that crypto is related to 10.x.x.x network as you given in the earlier logs.... then it doesn't have a matching crypto acl at both ends.... it needs to be checked....
if your end crypto acl is say
access-list SYSTEM_DEFAULT_CRYPTO_MAP extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list SYSTEM_DEFAULT_CRYPTO_MAP extended permit ip 10.1.0.0 255.255.255.0 10.2.0.0 255.255.255.0
then other end should be
access-list SYSTEM_DEFAULT_CRYPTO_MAP extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list SYSTEM_DEFAULT_CRYPTO_MAP extended permit ip 10.2.0.0 255.255.255.0 10.1.0.0 255.255.255.0
Else it will not work.....
Regards
Karthik
09-04-2014 06:02 AM
Hi Paulo,
Can you give more information about this issue?
Can you share the show log output filtered for that specific server and sh conn all | in <server> along with configuration details of the FW/Rtr?
Regards
Karthik
09-04-2014 06:34 AM
Hi Karthik,
The result follows:
# sh log | b 10.121.1.70
Sep 04 2014 09:42:59: %ASA-3-713042: IKE Initiator unable to find policy: Intf outside, Src: 10.121.1.70, Dst: 10.140.2.7
Sep 04 2014 09:43:07: %ASA-3-713042: IKE Initiator unable to find policy: Intf outside, Src: 10.121.1.180, Dst: 10.140.2.14
Sep 04 2014 09:43:36: %ASA-3-713042: IKE Initiator unable to find policy: Intf outside, Src: 10.121.1.180, Dst: 10.140.2.14
Sep 04 2014 09:43:36: %ASA-3-713042: IKE Initiator unable to find policy: Intf outside, Src: 10.121.1.180, Dst: 10.140.2.14
Sep 04 2014 09:43:44: %ASA-3-713042: IKE Initiator unable to find policy: Intf outside, Src: 10.121.1.180, Dst: 10.140.2.126
Sep 04 2014 09:43:49: %ASA-3-713042: IKE Initiator unable to find policy: Intf outside, Src: 10.121.1.180, Dst: 10.140.2.106
Sep 04 2014 09:44:38: %ASA-3-713042: IKE Initiator unable to find policy: Intf outside, Src: 10.121.1.180, Dst: 10.140.2.14
Sep 04 2014 09:44:46: %ASA-3-713042: IKE Initiator unable to find policy: Intf outside, Src: 10.121.1.180, Dst: 10.140.2.14
Sep 04 2014 09:44:46: %ASA-3-713042: IKE Initiator unable to find policy: Intf outside, Src: 10.121.1.180, Dst: 10.140.2.14
Sep 04 2014 09:45:03: %ASA-3-713042: IKE Initiator unable to find policy: Intf outside, Src: 10.121.1.180, Dst: 10.140.2.14
Sep 04 2014 09:45:27: %ASA-3-713042: IKE Initiator unable to find policy: Intf outside, Src: 10.121.1.180, Dst: 10.140.2.134
Sep 04 2014 09:45:48: %ASA-3-713042: IKE Initiator unable to find policy: Intf outside, Src: 10.121.1.180, Dst: 10.140.2.14
Sep 04 2014 09:45:52: %ASA-3-713042: IKE Initiator unable to find policy: Intf outside, Src: 10.121.1.180, Dst: 10.140.2.134
Sep 04 2014 09:46:37: %ASA-3-713042: IKE Initiator unable to find policy: Intf outside, Src: 10.121.1.70, Dst: 10.140.2.7
Sep 04 2014 09:47:43: %ASA-3-713042: IKE Initiator unable to find policy: Intf outside, Src: 10.121.1.180, Dst: 10.140.2.14
Sep 04 2014 09:47:43: %ASA-3-713042: IKE Initiator unable to find policy: Intf outside, Src: 10.121.1.180, Dst: 10.140.2.14
Sep 04 2014 09:48:12: %ASA-3-713042: IKE Initiator unable to find policy: Intf outside, Src: 10.121.1.180, Dst: 10.140.2.97
Sep 04 2014 09:48:33: %ASA-3-713042: IKE Initiator unable to find policy: Intf outside, Src: 10.121.1.180, Dst: 10.140.2.14
Sep 04 2014 09:48:33: %ASA-3-713042: IKE Initiator unable to find policy: Intf outside, Src: 10.121.1.180, Dst: 10.140.2.14
Sep 04 2014 09:49:02: %ASA-3-713042: IKE Initiator unable to find policy: Intf outside, Src: 10.121.1.180, Dst: 10.140.2.120
Sep 04 2014 09:49:35: %ASA-3-713042: IKE Initiator unable to find policy: Intf outside, Src: 10.121.1.180, Dst: 10.140.2.14
Sep 04 2014 09:50:24: %ASA-3-713042: IKE Initiator unable to find policy: Intf outside, Src: 10.121.1.180, Dst: 10.140.2.14
Sep 04 2014 09:50:28: %ASA-3-713042: IKE Initiator unable to find policy: Intf outside, Src: 10.121.1.180, Dst: 10.140.2.13
Sep 04 2014 09:51:46: %ASA-3-713042: IKE Initiator unable to find policy: Intf outside, Src: 10.121.1.180, Dst: 10.140.2.2
Sep 04 2014 09:52:15: %ASA-3-713042: IKE Initiator unable to find policy: Intf outside, Src: 10.121.1.180, Dst: 10.140.2.14
Sep 04 2014 09:52:19: %ASA-3-713042: IKE Initiator unable to find policy: Intf outside, Src: 10.121.1.180, Dst: 10.140.2.14
Sep 04 2014 09:53:25: %ASA-3-713042: IKE Initiator unable to find policy: Intf outside, Src: 10.121.1.180, Dst: 10.140.2.14
Sep 04 2014 09:53:29: %ASA-3-713042: IKE Initiator unable to find policy: Intf outside, Src: 10.121.1.180, Dst: 10.140.2.14
Sep 04 2014 09:53:54: %ASA-3-713042: IKE Initiator unable to find policy: Intf outside, Src: 10.121.1.43, Dst: 10.140.2.150
Sep 04 2014 09:55:04: %ASA-3-713042: IKE Initiator unable to find policy: Intf outside, Src: 10.121.1.180, Dst: 10.140.2.14
Sep 04 2014 09:56:10: %ASA-3-713042: IKE Initiator unable to find policy: Intf outside, Src: 10.121.1.180, Dst: 10.140.2.14
Sep 04 2014 09:56:22: %ASA-3-713042: IKE Initiator unable to find policy: Intf outside, Src: 10.121.1.180, Dst: 10.140.2.134
# sh conn all | include 10.121.1.72
TCP outside xxx.xxx.xxx.xxx:3389 inside 10.121.1.72:65529, idle 0:00:00, bytes 1792874, flags UIO
TCP outside xxx.xxx.xxx.xxx:3389 inside 10.121.1.72:61620, idle 0:00:58, bytes 774287, flags UIO
TCP outside xxx.xxx.xxx.xxx:3389 inside 10.121.1.72:57447, idle 0:00:55, bytes 4173570, flags UIO
TCP outside xxx.xxx.xxx.xxx:3389 inside 10.121.1.72:53595, idle 0:00:03, bytes 25119423, flags UIO
TCP outside xxx.xxx.xxx.xxx:3389 inside 10.121.1.72:49460, idle 0:00:04, bytes 6668749, flags UIO
TCP outside 88.198.136.212:5938 inside 10.121.1.72:53573, idle 0:00:45, bytes 37366, flags UIO
UDP inside 10.121.1.72:51122 inside 10.121.11.83:161, idle 0:00:15, bytes 33308544, flags -
09-04-2014 06:50 AM
Hi Paulo,
The error here you get %ASA-3-713042: IKE Initiator unable to find policy: says that you do not have the matching policy at both ends.....
Please check the configuration of crypto ACL / NAT exemption and Interface ACL at both ends...
crypto acl's should match at both ends..... especially if other end is cisco device.... NAT exemption should be there in place for encryption domain and interface ACL at both ends if that causes the issue.....
%ASA-3-713042: IKE Initiator unable to find policy: Intf 2 error message.
Note: If this is a VPN site-to-site tunnel, make sure to match the access list with the peer. They must be in reverse order on the peer.
Regards
Karthik
09-04-2014 06:51 AM
Hi Paulo,
Make sure the crypto acls match on either side (reverse and attention to masks).
From:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/81824-common-ipsec-trouble.html
"
This error message can also be seen when the dynamic crypto man sequence is not correct which causes the peer to hit the wrong crypto map, and also by a mismatched crypto access list that defines the interesting traffic: %ASA-3-713042: IKE Initiator unable to find policy:
In the scenarios where multiple VPN tunnels to be terminated in the same interface, we need to create crypto map with same name (only one crypto map is allowed per interface) but with a different sequence number. This holds true for the router, PIX, and ASA.
"
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: