Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: Problem with VPN ASA 5520

Problem with VPN ASA 5520 7 years 6 months ago #30458

  • r0nni3
  • r0nni3's Avatar
  • Offline
  • Distinguished Member
  • Posts: 107
  • Karma: 0
Hey all,

I have a weird problem with a VPN i have to configure.
All the config is correct and the VPN is up and running (so it seems).

I do get inbound traffic but no outbound when i look in the ASDM i get the following syslog message:
%ASA-3-713042: IKE Initiator unable to find policy: Intf
outside, Src: 172.23.1.12, Dst: 10.100.3.115

I have never seen this problem before and Cisco advises to check the access-lists but these are correct. Has any one experienced this problem before ? and if so what did you do to fix it ?

Ill post the bits of the config that matter here:
[code:1]
access-list nonat extended permit ip host 172.23.1.12 10.100.2.0 255.255.255.0
access-list nonat extended permit ip host 172.23.1.12 10.100.3.0 255.255.255.0
nat (inside) 0 access-list nonat
access-list VPNordina extended permit ip host 172.23.1.12 10.100.2.0 255.255.255.0
access-list VPNordina extended permit ip host 172.23.1.12 10.100.3.0 255.255.255.0
crypto map remote 10 match address VPNordina
crypto map remote 10 set peer 81.XXX.XXX.XXX
crypto map remote 10 set transform-set standaard


2 IKE Peer: 81.XXX.XXX.XXX
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE


local ident (addr/mask/prot/port): (172.23.1.12/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (10.100.2.0/255.255.254.0/0/0)
current_peer: 81.XXX.XXX.XXX

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 99, #pkts decrypt: 99, #pkts verify: 99
[/code:1]

Thanks in advance!
Currently working as Cisco Engineer at Neon-Networking.

Certifications:
CCNA - Have it
CCNA Security - Have it
CCSP - Almost!!!!
CCIE Security - Not so far away dream
The administrator has disabled public write access.

Re: Problem with VPN ASA 5520 7 years 6 months ago #30466

  • Blake
  • Blake's Avatar
  • Offline
  • New Member
  • Posts: 7
  • Karma: 0
Can you post a sanitized config?
The administrator has disabled public write access.

Re: Problem with VPN ASA 5520 7 years 6 months ago #30490

  • ramasamy
  • ramasamy's Avatar
  • Offline
  • Frequent Member
  • Posts: 67
  • Karma: 0
Hi,

The firewall you are checking is a responder. You need to check the access-list on the peer device (Initiator) as the error message is from Initiator.
The administrator has disabled public write access.

Re: Problem with VPN ASA 5520 7 years 6 months ago #30501

  • r0nni3
  • r0nni3's Avatar
  • Offline
  • Distinguished Member
  • Posts: 107
  • Karma: 0
Well the problem was at the other side...they messed up their access-list. They reconfigured the access-list and the tunnel worked perfectly.
This is exactly the reason why i dont like making VPN tunnels with a 3rd party. >.<
Currently working as Cisco Engineer at Neon-Networking.

Certifications:
CCNA - Have it
CCNA Security - Have it
CCSP - Almost!!!!
CCIE Security - Not so far away dream
The administrator has disabled public write access.
Time to create page: 0.080 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup