Solved

ike initiator unable to find policy error

Posted on 2010-09-02
5
1,147 Views
Last Modified: 2012-05-10
Hi, I recently changed ISPs at my satellite office (SonicWall TZ170). I copied the working VPN settings into a new site-to-site VPN policy and changed the IP address to the new 185.72.91.66 addy.

However, I'm now getting these IKE initiator errors. The interesting thing is that the SonicWall is reporting an active connection, but I assume I need to do something on the Cisco side, as opposed to just creating the policy. Any help appreciated. Thanks.

 
: Saved

:

ASA Version 8.0(4) 

!

hostname ciscoasa

domain-name ifsa.local

names

!

interface Ethernet0/0

 nameif outside

 security-level 0

 ip address 25.37.84.162 255.255.255.248 

!

interface Ethernet0/1

 nameif inside

 security-level 100

 ip address 192.168.1.29 255.255.255.0 

!

interface Ethernet0/2

 nameif backup

 security-level 0

 ip address 97.57.55.76 255.255.255.248 

!

interface Ethernet0/3

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Management0/0

 shutdown

 no nameif

 no security-level

 no ip address

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup inside

dns server-group DefaultDNS

 name-server 192.168.1.30

 domain-name ifsa.local

object-group service DSClient tcp

 port-object range 4401 4404

access-list outside_2_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.150.16 255.255.255.240 

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.137.0 255.255.255.0 

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.150.16 255.255.255.240 

access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.137.0 255.255.255.0 

access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 

access-list outside_access_in extended permit icmp any any 

access-list outside_access_in extended permit tcp any any object-group DSClient log debugging inactive 

pager lines 24

logging enable

logging asdm informational

logging mail emergencies

mtu outside 1500

mtu inside 1500

mtu backup 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any echo-reply outside

asdm image disk0:/asdm-621.bin

no asdm history enable

arp timeout 14400

global (outside) 101 interface

global (backup) 101 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 101 0.0.0.0 0.0.0.0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 25.37.84.161 1 track 1

route backup 0.0.0.0 0.0.0.0 97.57.55.73 254

route inside 192.168.10.0 255.255.255.0 192.168.1.253 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 0.0.0.0 0.0.0.0 inside

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sla monitor 123

 type echo protocol ipIcmpEcho 25.37.84.161 interface outside

 num-packets 3

 frequency 15

sla monitor schedule 123 life forever start-time now

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map0 1 match address outside_1_cryptomap

crypto map outside_map0 1 set peer 69.74.61.9 

crypto map outside_map0 1 set transform-set ESP-3DES-SHA

crypto map outside_map0 1 set security-association lifetime seconds 28800

crypto map outside_map0 1 set security-association lifetime kilobytes 4608000

crypto map outside_map0 2 match address outside_2_cryptomap

crypto map outside_map0 2 set peer 74.116.54.194 

crypto map outside_map0 2 set transform-set ESP-3DES-SHA

crypto map outside_map0 2 set security-association lifetime seconds 28800

crypto map outside_map0 2 set security-association lifetime kilobytes 4608000

crypto map outside_map0 4 match address outside_cryptomap

crypto map outside_map0 4 set peer 185.72.91.66 

crypto map outside_map0 4 set transform-set ESP-3DES-SHA

crypto map outside_map0 4 set security-association lifetime seconds 28800

crypto map outside_map0 4 set security-association lifetime kilobytes 4608000

crypto map outside_map0 interface outside

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

!

track 1 rtr 123 reachability

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 30

console timeout 0

dhcpd dns 192.168.1.30

!

dhcpd dns 192.168.1.30 interface inside

dhcpd wins 192.168.1.30 interface inside

!

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

tftp-server inside 192.168.1.45 ASA_

group-policy DfltGrpPolicy attributes

tunnel-group 69.74.61.3 type ipsec-l2l

tunnel-group 69.74.61.3 ipsec-attributes

 pre-shared-key *

tunnel-group 74.116.54.194 type ipsec-l2l

tunnel-group 74.116.54.194 general-attributes

tunnel-group 74.116.54.194 ipsec-attributes

 pre-shared-key *

tunnel-group 69.74.61.9 type ipsec-l2l

tunnel-group 69.74.61.9 general-attributes

tunnel-group 69.74.61.9 ipsec-attributes

 pre-shared-key *

tunnel-group 185.72.91.66 type ipsec-l2l

tunnel-group 185.72.91.66 ipsec-attributes

 pre-shared-key *

!

!

prompt hostname context 

Cryptochecksum:bce4bb02b8a864b109844f2ff74c3b57

: end

Open in new window

0
Comment
Question by:ruhkus
  • 3
5 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
Comment Utility
what is the IP subnet behind the Sonicwall?  192.168.2.0
From what I can tell, everything looks OK.
Can you post the exact error/message you are getting?

0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
would need logs from the sonicwall as well.
0
 

Author Comment

by:ruhkus
Comment Utility
Hey guys, thanks for the follow-up. Unfortunately, I idiotically forgot to leave on a PC in the remote site to test the VPN connectivity to files and applications, so it may be a few days before I can check this and respond.

However, I did notice that the Bytes TX and RX are showing up fine today in the Cisco, so perhaps it's working now. Maybe something needed time to start working again?



0
 

Author Comment

by:ruhkus
Comment Utility
It looks like it was a DNS problem, perhaps coupled with some initial issues with the Cisco.

Thanks for your help.
0
 

Author Closing Comment

by:ruhkus
Comment Utility
It was actually a DNS problem, but this helped confirm that the router part was correct.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now