Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
741
Views
0
Helpful
7
Replies

VPN loses connection only on some servers

Paulo Sibalde Araujo
Level 1
Level 1

‎09-04-2014 05:07 AM

 

Hi guys!


I have problem with connection VPN Stie to Site, loses connection only this server specific.
i have to do log out the connection an ASA for This connection return

someone have idea?

 

Tks

Labels:
0 Helpful
7 Replies 7

Pedro Lereno
Level 1
Level 1

‎09-04-2014 05:25 AM

Hi Paulo.

 

Could you send the config (only vpn portion) and a sh crypto ipsec sa peer ip_of_the_peer ?

 

Regards,

 

Pedro Lereno

 

 

 

0 Helpful

Paulo Sibalde Araujo
Level 1
Level 1
In response to Pedro Lereno

‎09-04-2014 06:10 AM

 

Hi Pedro

 

The result follows:

 

# sh crypto ipsec sa peer xxx.xxx.xxx.xxx
peer address: xxx.xxx.xxx.xxx
    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 192.1                                                      68.150.4

      local ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.0.2.0/255.255.255.0/0/0)
      current_peer: xxx.xxx.xxx.xxx

      #pkts encaps: 2474, #pkts encrypt: 2474, #pkts digest: 2474
      #pkts decaps: 5403, #pkts decrypt: 5403, #pkts verify: 5403
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 2474, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 192.168.0.4/4500, remote crypto endpt.: xxx.xxx.xxx.xxx/4500
      path mtu 1500, ipsec overhead 66, media mtu 1500
      current outbound spi: 402C98DE

    inbound esp sas:
      spi: 0x713B7A3E (1899723326)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 2035712, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
         sa timing: remaining key lifetime (kB/sec): (4373630/27532)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x402C98DE (1076664542)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 2035712, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
         sa timing: remaining key lifetime (kB/sec): (4373778/27514)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 1, local addr: xxx.xxx.xxx.xxx

      access-list outside_cryptomap permit ip xxx.xxx.xxx.xxx 255.255.255.0 xxx.xxx.xxx.xxx 255.255.255.0
      local ident (addr/mask/prot/port): (xxx.xxx.xxx.xxx/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (xxx.xxx.xxxx.xxx/255.255.255.0/0/0)
      current_peer: xxx.xxx.xxx.xxx

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: xxx.xxx.xxx.xxx/4500, remote crypto endpt.: xxx.xxx.xxx.xxx/4500
      path mtu 1500, ipsec overhead 66, media mtu 1500
      current outbound spi: 1AA9CBAF

    inbound esp sas:
      spi: 0xDABF84E9 (3669984489)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 2035712, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
         sa timing: remaining key lifetime (kB/sec): (4374000/27521)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0x1AA9CBAF (447335343)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 2035712, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
         sa timing: remaining key lifetime (kB/sec): (4374000/27521)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

0 Helpful

nkarthikeyan
Level 7
Level 7
In response to Paulo Sibalde Araujo

‎09-04-2014 07:50 AM

Hi,

 

As per your crypto output.... traffic between 192.168.0.0 to 192.168.2.0 works halfway...... some of them are not getting the return traffic...... the other line which you have hided out in output has nothing encrypted or decryped.... if that crypto is related to 10.x.x.x network as you given in the earlier logs.... then it doesn't have a matching crypto acl at both ends.... it needs to be checked....

if your end crypto acl is say

access-list SYSTEM_DEFAULT_CRYPTO_MAP extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list SYSTEM_DEFAULT_CRYPTO_MAP extended permit ip 10.1.0.0 255.255.255.0 10.2.0.0 255.255.255.0

 

then other end should be

access-list SYSTEM_DEFAULT_CRYPTO_MAP extended permit ip  192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list SYSTEM_DEFAULT_CRYPTO_MAP extended permit ip 10.2.0.0 255.255.255.0 10.1.0.0 255.255.255.0

 

Else it will not work.....

 

Regards

Karthik

 

0 Helpful

nkarthikeyan
Level 7
Level 7

‎09-04-2014 06:02 AM

Hi Paulo,

 

Can you give more information about this issue?

 

Can you share the show log output filtered for that specific server and sh conn all | in <server> along with configuration details of the FW/Rtr?

 

Regards

Karthik

0 Helpful

Paulo Sibalde Araujo
Level 1
Level 1
In response to nkarthikeyan

‎09-04-2014 06:34 AM

Hi Karthik,

 

The result follows:

# sh log | b 10.121.1.70
Sep 04 2014 09:42:59: %ASA-3-713042: IKE Initiator unable to find policy: Intf outside, Src: 10.121.1.70, Dst: 10.140.2.7
Sep 04 2014 09:43:07: %ASA-3-713042: IKE Initiator unable to find policy: Intf outside, Src: 10.121.1.180, Dst: 10.140.2.14
Sep 04 2014 09:43:36: %ASA-3-713042: IKE Initiator unable to find policy: Intf outside, Src: 10.121.1.180, Dst: 10.140.2.14
Sep 04 2014 09:43:36: %ASA-3-713042: IKE Initiator unable to find policy: Intf outside, Src: 10.121.1.180, Dst: 10.140.2.14
Sep 04 2014 09:43:44: %ASA-3-713042: IKE Initiator unable to find policy: Intf outside, Src: 10.121.1.180, Dst: 10.140.2.126
Sep 04 2014 09:43:49: %ASA-3-713042: IKE Initiator unable to find policy: Intf outside, Src: 10.121.1.180, Dst: 10.140.2.106
Sep 04 2014 09:44:38: %ASA-3-713042: IKE Initiator unable to find policy: Intf outside, Src: 10.121.1.180, Dst: 10.140.2.14
Sep 04 2014 09:44:46: %ASA-3-713042: IKE Initiator unable to find policy: Intf outside, Src: 10.121.1.180, Dst: 10.140.2.14
Sep 04 2014 09:44:46: %ASA-3-713042: IKE Initiator unable to find policy: Intf outside, Src: 10.121.1.180, Dst: 10.140.2.14
Sep 04 2014 09:45:03: %ASA-3-713042: IKE Initiator unable to find policy: Intf outside, Src: 10.121.1.180, Dst: 10.140.2.14
Sep 04 2014 09:45:27: %ASA-3-713042: IKE Initiator unable to find policy: Intf outside, Src: 10.121.1.180, Dst: 10.140.2.134
Sep 04 2014 09:45:48: %ASA-3-713042: IKE Initiator unable to find policy: Intf outside, Src: 10.121.1.180, Dst: 10.140.2.14
Sep 04 2014 09:45:52: %ASA-3-713042: IKE Initiator unable to find policy: Intf outside, Src: 10.121.1.180, Dst: 10.140.2.134
Sep 04 2014 09:46:37: %ASA-3-713042: IKE Initiator unable to find policy: Intf outside, Src: 10.121.1.70, Dst: 10.140.2.7
Sep 04 2014 09:47:43: %ASA-3-713042: IKE Initiator unable to find policy: Intf outside, Src: 10.121.1.180, Dst: 10.140.2.14
Sep 04 2014 09:47:43: %ASA-3-713042: IKE Initiator unable to find policy: Intf outside, Src: 10.121.1.180, Dst: 10.140.2.14
Sep 04 2014 09:48:12: %ASA-3-713042: IKE Initiator unable to find policy: Intf outside, Src: 10.121.1.180, Dst: 10.140.2.97
Sep 04 2014 09:48:33: %ASA-3-713042: IKE Initiator unable to find policy: Intf outside, Src: 10.121.1.180, Dst: 10.140.2.14
Sep 04 2014 09:48:33: %ASA-3-713042: IKE Initiator unable to find policy: Intf outside, Src: 10.121.1.180, Dst: 10.140.2.14
Sep 04 2014 09:49:02: %ASA-3-713042: IKE Initiator unable to find policy: Intf outside, Src: 10.121.1.180, Dst: 10.140.2.120
Sep 04 2014 09:49:35: %ASA-3-713042: IKE Initiator unable to find policy: Intf outside, Src: 10.121.1.180, Dst: 10.140.2.14
Sep 04 2014 09:50:24: %ASA-3-713042: IKE Initiator unable to find policy: Intf outside, Src: 10.121.1.180, Dst: 10.140.2.14
Sep 04 2014 09:50:28: %ASA-3-713042: IKE Initiator unable to find policy: Intf outside, Src: 10.121.1.180, Dst: 10.140.2.13
Sep 04 2014 09:51:46: %ASA-3-713042: IKE Initiator unable to find policy: Intf outside, Src: 10.121.1.180, Dst: 10.140.2.2
Sep 04 2014 09:52:15: %ASA-3-713042: IKE Initiator unable to find policy: Intf outside, Src: 10.121.1.180, Dst: 10.140.2.14
Sep 04 2014 09:52:19: %ASA-3-713042: IKE Initiator unable to find policy: Intf outside, Src: 10.121.1.180, Dst: 10.140.2.14
Sep 04 2014 09:53:25: %ASA-3-713042: IKE Initiator unable to find policy: Intf outside, Src: 10.121.1.180, Dst: 10.140.2.14
Sep 04 2014 09:53:29: %ASA-3-713042: IKE Initiator unable to find policy: Intf outside, Src: 10.121.1.180, Dst: 10.140.2.14
Sep 04 2014 09:53:54: %ASA-3-713042: IKE Initiator unable to find policy: Intf outside, Src: 10.121.1.43, Dst: 10.140.2.150
Sep 04 2014 09:55:04: %ASA-3-713042: IKE Initiator unable to find policy: Intf outside, Src: 10.121.1.180, Dst: 10.140.2.14
Sep 04 2014 09:56:10: %ASA-3-713042: IKE Initiator unable to find policy: Intf outside, Src: 10.121.1.180, Dst: 10.140.2.14
Sep 04 2014 09:56:22: %ASA-3-713042: IKE Initiator unable to find policy: Intf outside, Src: 10.121.1.180, Dst: 10.140.2.134

 

 

# sh conn all | include 10.121.1.72
TCP outside xxx.xxx.xxx.xxx:3389 inside 10.121.1.72:65529, idle 0:00:00, bytes 1792874, flags UIO
TCP outside xxx.xxx.xxx.xxx:3389 inside 10.121.1.72:61620, idle 0:00:58, bytes 774287, flags UIO
TCP outside xxx.xxx.xxx.xxx:3389 inside 10.121.1.72:57447, idle 0:00:55, bytes 4173570, flags UIO
TCP outside xxx.xxx.xxx.xxx:3389 inside 10.121.1.72:53595, idle 0:00:03, bytes 25119423, flags UIO
TCP outside xxx.xxx.xxx.xxx:3389 inside 10.121.1.72:49460, idle 0:00:04, bytes 6668749, flags UIO
TCP outside 88.198.136.212:5938 inside 10.121.1.72:53573, idle 0:00:45, bytes 37366, flags UIO
UDP inside 10.121.1.72:51122 inside 10.121.11.83:161, idle 0:00:15, bytes 33308544, flags -

0 Helpful

nkarthikeyan
Level 7
Level 7
In response to Paulo Sibalde Araujo

‎09-04-2014 06:50 AM

Hi Paulo,

The error here you get %ASA-3-713042: IKE Initiator unable to find policy: says that you do not have the matching policy at both ends.....

 

Please check the configuration of crypto ACL / NAT exemption and Interface ACL at both ends...

 

crypto acl's should match at both ends..... especially if other end is cisco device.... NAT exemption should be there in place for encryption domain and interface ACL at both ends if that causes the issue.....

 

%ASA-3-713042: IKE Initiator unable to find policy: Intf 2 error message.

Note: If this is a VPN site-to-site tunnel, make sure to match the access list with the peer. They must be in reverse order on the peer.

 

Regards

Karthik

0 Helpful

Pedro Lereno
Level 1
Level 1
In response to Paulo Sibalde Araujo

‎09-04-2014 06:51 AM

Hi Paulo,

Make sure the crypto acls match on either side (reverse and attention to masks).

 

From:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/81824-common-ipsec-trouble.html

"

This error message can also be seen when the dynamic crypto man sequence is not correct which causes the peer to hit the wrong crypto map, and also by a mismatched crypto access list that defines the interesting traffic: %ASA-3-713042: IKE Initiator unable to find policy:

In the scenarios where multiple VPN tunnels to be terminated in the same interface, we need to create crypto map with same name (only one crypto map is allowed per interface) but with a different sequence number. This holds true for the router, PIX, and ASA.

"

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents