Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

ike initiator unable to find policy error

Posted on 2010-09-02
5
1,150 Views
Last Modified: 2012-05-10
Hi, I recently changed ISPs at my satellite office (SonicWall TZ170). I copied the working VPN settings into a new site-to-site VPN policy and changed the IP address to the new 185.72.91.66 addy.

However, I'm now getting these IKE initiator errors. The interesting thing is that the SonicWall is reporting an active connection, but I assume I need to do something on the Cisco side, as opposed to just creating the policy. Any help appreciated. Thanks.

 
: Saved
:
ASA Version 8.0(4) 
!
hostname ciscoasa
domain-name ifsa.local
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 25.37.84.162 255.255.255.248 
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.1.29 255.255.255.0 
!
interface Ethernet0/2
 nameif backup
 security-level 0
 ip address 97.57.55.76 255.255.255.248 
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 192.168.1.30
 domain-name ifsa.local
object-group service DSClient tcp
 port-object range 4401 4404
access-list outside_2_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.150.16 255.255.255.240 
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.137.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.150.16 255.255.255.240 
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.137.0 255.255.255.0 
access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 
access-list outside_access_in extended permit icmp any any 
access-list outside_access_in extended permit tcp any any object-group DSClient log debugging inactive 
pager lines 24
logging enable
logging asdm informational
logging mail emergencies
mtu outside 1500
mtu inside 1500
mtu backup 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply outside
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
global (backup) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 25.37.84.161 1 track 1
route backup 0.0.0.0 0.0.0.0 97.57.55.73 254
route inside 192.168.10.0 255.255.255.0 192.168.1.253 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
 type echo protocol ipIcmpEcho 25.37.84.161 interface outside
 num-packets 3
 frequency 15
sla monitor schedule 123 life forever start-time now
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map0 1 match address outside_1_cryptomap
crypto map outside_map0 1 set peer 69.74.61.9 
crypto map outside_map0 1 set transform-set ESP-3DES-SHA
crypto map outside_map0 1 set security-association lifetime seconds 28800
crypto map outside_map0 1 set security-association lifetime kilobytes 4608000
crypto map outside_map0 2 match address outside_2_cryptomap
crypto map outside_map0 2 set peer 74.116.54.194 
crypto map outside_map0 2 set transform-set ESP-3DES-SHA
crypto map outside_map0 2 set security-association lifetime seconds 28800
crypto map outside_map0 2 set security-association lifetime kilobytes 4608000
crypto map outside_map0 4 match address outside_cryptomap
crypto map outside_map0 4 set peer 185.72.91.66 
crypto map outside_map0 4 set transform-set ESP-3DES-SHA
crypto map outside_map0 4 set security-association lifetime seconds 28800
crypto map outside_map0 4 set security-association lifetime kilobytes 4608000
crypto map outside_map0 interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
!
track 1 rtr 123 reachability
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 30
console timeout 0
dhcpd dns 192.168.1.30
!
dhcpd dns 192.168.1.30 interface inside
dhcpd wins 192.168.1.30 interface inside
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tftp-server inside 192.168.1.45 ASA_
group-policy DfltGrpPolicy attributes
tunnel-group 69.74.61.3 type ipsec-l2l
tunnel-group 69.74.61.3 ipsec-attributes
 pre-shared-key *
tunnel-group 74.116.54.194 type ipsec-l2l
tunnel-group 74.116.54.194 general-attributes
tunnel-group 74.116.54.194 ipsec-attributes
 pre-shared-key *
tunnel-group 69.74.61.9 type ipsec-l2l
tunnel-group 69.74.61.9 general-attributes
tunnel-group 69.74.61.9 ipsec-attributes
 pre-shared-key *
tunnel-group 185.72.91.66 type ipsec-l2l
tunnel-group 185.72.91.66 ipsec-attributes
 pre-shared-key *
!
!
prompt hostname context 
Cryptochecksum:bce4bb02b8a864b109844f2ff74c3b57
: end

Open in new window

0
Comment
Question by:ruhkus
  • 3
5 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 33591664
what is the IP subnet behind the Sonicwall?  192.168.2.0
From what I can tell, everything looks OK.
Can you post the exact error/message you are getting?

0
 
LVL 33

Expert Comment

by:digitap
ID: 33591744
would need logs from the sonicwall as well.
0
 

Author Comment

by:ruhkus
ID: 33598134
Hey guys, thanks for the follow-up. Unfortunately, I idiotically forgot to leave on a PC in the remote site to test the VPN connectivity to files and applications, so it may be a few days before I can check this and respond.

However, I did notice that the Bytes TX and RX are showing up fine today in the Cisco, so perhaps it's working now. Maybe something needed time to start working again?



0
 

Author Comment

by:ruhkus
ID: 33599788
It looks like it was a DNS problem, perhaps coupled with some initial issues with the Cisco.

Thanks for your help.
0
 

Author Closing Comment

by:ruhkus
ID: 33599799
It was actually a DNS problem, but this helped confirm that the router part was correct.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Configuring Port Access on Cisco ASA 5 32
Setting up NAT translation for RDP 6 40
VLAN Question 7 32
Poll Active Directory user information 11 43
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

837 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question