IKE Initiator unable to find policy: Intf 1

I took over a new network and i'm making changes.  Well apparently a change I made is now affecting the ASA firewall.  Whenever people try to connect to a remote vpn server from inside the network they are getting  IKE Initiator unable to find policy: Intf 1.  I haven't been able to locate where the issue is.


Password: *********
fishnet# sh run
: Saved
:
ASA Version 7.2(1)
!
hostname fishnet
domain-name blackfintech.com
enable password aNz9lVAw4YWoltt6 encrypted
no names
name 172.22.1.10 Bear
name 172.22.1.8 Payette
name 172.22.1.7 Snake
name 172.22.1.0 Boise_Net
name 172.23.1.0 DMZ_Net
name 172.22.1.16 Spokane
name 172.22.1.80 JKAF
name 172.23.1.5 NS2 description Secondary DNS
name 172.22.1.25 Stage description Staging Server
name 172.22.1.36 MossStage description Moss Staging Server
name 172.22.1.38 MossProd
name 172.22.1.41 MossProd1
name XX.XXX.XXX.232 BlackfinGuestPublic description Ext Interface of BlackfinGuest DMZ Bubble
name 172.23.1.6 BlackfinGuestDMZ description BlackfinGuest DMZ Router
name 172.22.1.24 claimscorp description virtual server on teton
name 172.22.1.19 selway description selway
name 172.22.1.77 crimson
name 172.22.1.85 DrupalW2k8 description Drupal W2k8
name 172.22.3.1 sdead description sdead.sde.blackfintech.com
name 172.22.1.40 Shakespeare description Shakespeare
name 172.22.1.47 apps description apps.blackfintech.com
name 172.22.1.48 secure
name 172.22.1.9 prima description IDPR Prima DMZ
name 172.22.1.49 bcconnect
name 172.22.1.87 SBI
name 172.22.1.86 PTE
name 172.22.1.26 stage64 description stage64
name 172.22.1.78 drupaldev
dns-guard
!
interface Ethernet0/0
 description Inside Private Interface
 nameif inside
 security-level 100
 ip address 172.22.1.1 255.255.255.0
 ospf cost 10
!
interface Ethernet0/1
 description DMZ Interface. Semi-Private
 shutdown
 nameif dmz
 security-level 50
 ip address 172.23.1.1 255.255.255.0
 ospf cost 10
!
interface Ethernet0/2
 description Outside Public Interface not private
 nameif outside
 security-level 0
 ip address XX.XXX.XXX.226 255.255.255.224
 ospf cost 10
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.87.1 255.255.255.0
 ospf cost 10
 management-only
!
passwd aNz9lVAw4YWoltt6 encrypted
boot system disk0:/asa721-k8.bin
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
dns server-group DefaultDNS
 domain-name blackfintech.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network Blackfin_Internal_Net
 network-object 172.22.0.0 255.255.252.0
access-list outside_in remark spokane
access-list outside_in extended permit tcp any host XX.XXX.XXX.233 eq https
access-list outside_in remark spokane
access-list outside_in extended permit tcp any host XX.XXX.XXX.233 eq 8882
access-list outside_in remark dev (payette)
access-list outside_in extended permit tcp any host XX.XXX.XXX.230 eq www
access-list outside_in remark dev (payette)
access-list outside_in extended permit tcp any host XX.XXX.XXX.230 eq https
access-list outside_in remark selway
access-list outside_in extended permit tcp any host XX.XXX.XXX.227 eq 9000
access-list outside_in remark snake
access-list outside_in extended permit tcp any host XX.XXX.XXX.228 eq smtp
access-list outside_in remark snake
access-list outside_in extended permit tcp any host XX.XXX.XXX.228 eq pop3
access-list outside_in remark snake
access-list outside_in extended permit tcp any host XX.XXX.XXX.228 eq 995
access-list outside_in remark snake
access-list outside_in extended permit tcp any host XX.XXX.XXX.228 eq www
access-list outside_in remark snake
access-list outside_in extended permit tcp any host XX.XXX.XXX.228 eq imap4
access-list outside_in remark snake
access-list outside_in extended permit tcp any host XX.XXX.XXX.228 eq https
access-list outside_in remark Drupal W2k8
access-list outside_in extended permit tcp any host XX.XXX.XXX.231 eq www
access-list outside_in remark spokane
access-list outside_in extended permit tcp any host XX.XXX.XXX.233 eq www
access-list outside_in remark sdead.sde.blackfintech.com
access-list outside_in extended permit tcp any host XX.XXX.XXX.234 eq www
access-list outside_in remark sdead.sde.blackfintech.com
access-list outside_in extended permit tcp any host XX.XXX.XXX.234 eq https
access-list outside_in remark sdead.sde.blackfintech.com
access-list outside_in extended permit tcp any host XX.XXX.XXX.234 eq 444
access-list outside_in remark stage64.blackfintech.com
access-list outside_in extended permit tcp any host XX.XXX.XXX.235 eq www
access-list outside_in remark secure.blackfintech.com
access-list outside_in extended permit tcp any host XX.XXX.XXX.245 eq www
access-list outside_in remark secure.blackfintech.com
access-list outside_in extended permit tcp any host XX.XXX.XXX.245 eq https
access-list outside_in remark jkaf
access-list outside_in extended permit tcp any host XX.XXX.XXX.236 eq www
access-list outside_in remark security dvr
access-list outside_in extended permit tcp any host XX.XXX.XXX.238 eq www
access-list outside_in remark ns2
access-list outside_in extended permit tcp any host XX.XXX.XXX.239 eq domain
access-list outside_in remark ns2
access-list outside_in extended permit udp any host XX.XXX.XXX.239 eq domain
access-list outside_in remark stage
access-list outside_in extended permit tcp any host XX.XXX.XXX.240 eq www
access-list outside_in remark mossstage
access-list outside_in extended permit tcp any host XX.XXX.XXX.241 eq www
access-list outside_in remark mossstage
access-list outside_in extended permit tcp any host XX.XXX.XXX.241 eq https
access-list outside_in remark mossprod1
access-list outside_in extended permit tcp any host XX.XXX.XXX.243 eq www
access-list outside_in remark prima
access-list outside_in extended permit tcp any host XX.XXX.XXX.251 eq www
access-list outside_in remark crimson
access-list outside_in extended permit tcp any host XX.XXX.XXX.248 eq www
access-list outside_in remark drupaldev
access-list outside_in extended permit tcp any host XX.XXX.XXX.249 eq www
access-list outside_in remark claimscorp
access-list outside_in extended permit tcp any host XX.XXX.XXX.244 eq www
access-list outside_in remark bcconnect http
access-list outside_in extended permit tcp any host XX.XXX.XXX.252 eq www
access-list outside_in remark bcconnect https
access-list outside_in extended permit tcp any host XX.XXX.XXX.252 eq https
access-list outside_in remark bcconnect 8080
access-list outside_in extended permit tcp any host XX.XXX.XXX.252 eq 8080
access-list outside_in remark shakespeare
access-list outside_in extended permit tcp any host XX.XXX.XXX.247 eq www
access-list outside_in remark PTE
access-list outside_in extended permit tcp any host XX.XXX.XXX.250 eq www
access-list outside_in remark SBI
access-list outside_in extended permit tcp any host XX.XXX.XXX.253 eq www
access-list outside_in remark Shakespeare
access-list outside_in extended permit tcp any host XX.XXX.XXX.247 eq https
access-list inside_nat0_outbound extended permit ip any 172.22.1.128 255.255.255.128
access-list inside_nat0_outbound extended permit ip object-group Blackfin_Internal_Net 172.23.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip host 172.22.1.56 host 10.99.100.120
access-list inside_nat0_outbound extended permit ip host 172.22.1.57 host 10.99.100.120
access-list inside_nat0_outbound extended permit ip host 172.22.1.58 host 10.99.100.120
access-list inside_nat0_outbound extended permit ip host 172.22.1.59 host 10.99.100.120
access-list inside_nat0_outbound extended permit ip host 172.22.1.60 host 10.99.100.120
access-list inside_nat0_outbound extended permit ip host 172.22.1.61 host 10.99.100.120
access-list inside_nat0_outbound extended permit ip host 172.22.1.62 host 10.99.100.120
access-list inside_nat0_outbound extended permit ip host 172.22.1.63 host 10.99.100.120
access-list inside_nat0_outbound extended permit ip host 172.22.1.64 host 10.99.100.120
access-list inside_nat0_outbound extended permit ip any 172.22.1.192 255.255.255.192
access-list Employees_splitTunnelAcl standard permit 172.22.0.0 255.255.252.0
access-list Employees_splitTunnelAcl standard permit 172.23.1.0 255.255.255.0
access-list dmz_access_in remark definition of "DMZ"
access-list dmz_access_in extended deny ip 172.23.1.0 255.255.255.0 object-group Blackfin_Internal_Net
access-list dmz_access_in extended permit ip 172.23.1.0 255.255.255.0 any
access-list 100 extended permit ip host 172.22.1.56 host 10.99.100.120
access-list 100 extended permit ip host 172.22.1.57 host 10.99.100.120
access-list 100 extended permit ip host 172.22.1.58 host 10.99.100.120
access-list 100 extended permit ip host 172.22.1.59 host 10.99.100.120
access-list 100 extended permit ip host 172.22.1.60 host 10.99.100.120
access-list 100 extended permit ip host 172.22.1.61 host 10.99.100.120
access-list 100 extended permit ip host 172.22.1.62 host 10.99.100.120
access-list 100 extended permit ip host 172.22.1.63 host 10.99.100.120
access-list 100 extended permit ip host 172.22.1.64 host 10.99.100.120
access-list outside_cryptomap_65535.1 extended permit ip 172.22.0.0 255.255.252.0 host 67.60.156.237
access-list outside_cryptomap_65535.14 extended permit tcp any any eq pptp
access-list outside_cryptomap_65535.20 extended permit udp any any eq isakmp
access-list outside_cryptomap_65535.15 extended permit udp any any eq 4500
access-list outside_cryptomap extended permit ip any 172.22.1.192 255.255.255.192
pager lines 50
logging enable
logging asdm warnings
logging from-address jscherer@blackfintech.com
logging recipient-address jscherer@blackfintech.com level errors
logging recipient-address nbowdish@blackfintech.com level errors
logging ftp-bufferwrap
logging ftp-server 172.22.1.17 / jscherer ****
mtu inside 1500
mtu dmz 1500
mtu outside 1500
mtu management 1500
ip local pool nomad 172.22.1.200-172.22.1.220 mask 255.255.252.0
ip local pool SSLUsers 172.22.1.221-172.22.1.229 mask 255.255.252.0
icmp permit any inside
icmp permit any dmz
icmp deny any outside
asdm image disk0:/asdm521.bin
asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 20 access-list 100
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) tcp XX.XXX.XXX.230 www 172.22.1.8 www netmask 255.255.255.255
static (inside,outside) tcp XX.XXX.XXX.230 https 172.22.1.8 https netmask 255.255.255.255
static (inside,outside) tcp XX.XXX.XXX.231 www 172.22.1.85 www netmask 255.255.255.255
static (inside,outside) tcp XX.XXX.XXX.233 www 172.22.1.16 www netmask 255.255.255.255
static (inside,outside) tcp XX.XXX.XXX.233 https 172.22.1.16 https netmask 255.255.255.255
static (inside,outside) tcp XX.XXX.XXX.233 8882 172.22.1.16 8882 netmask 255.255.255.255
static (inside,outside) tcp XX.XXX.XXX.234 444 172.22.3.1 444 netmask 255.255.255.255
static (inside,outside) tcp XX.XXX.XXX.234 https 172.22.3.1 https netmask 255.255.255.255
static (inside,outside) tcp XX.XXX.XXX.235 www 172.22.1.26 www netmask 255.255.255.255
static (inside,outside) tcp XX.XXX.XXX.245 www 172.22.1.48 www netmask 255.255.255.255
static (inside,outside) tcp XX.XXX.XXX.245 https 172.22.1.48 https netmask 255.255.255.255
static (inside,outside) tcp XX.XXX.XXX.241 www 172.22.1.36 www netmask 255.255.255.255
static (inside,outside) tcp XX.XXX.XXX.241 https 172.22.1.36 https netmask 255.255.255.255
static (inside,outside) tcp XX.XXX.XXX.238 www 172.22.1.38 www netmask 255.255.255.255
static (inside,outside) tcp XX.XXX.XXX.243 www 172.22.1.41 www netmask 255.255.255.255
static (inside,outside) tcp XX.XXX.XXX.227 9000 172.22.1.19 9000 netmask 255.255.255.255
static (inside,outside) tcp XX.XXX.XXX.248 www 172.22.1.77 www netmask 255.255.255.255
static (inside,outside) tcp XX.XXX.XXX.249 www 172.22.1.78 www netmask 255.255.255.255
static (inside,outside) tcp XX.XXX.XXX.244 www 172.22.1.24 www netmask 255.255.255.255
static (inside,outside) tcp XX.XXX.XXX.240 www 172.22.1.25 www netmask 255.255.255.255
static (inside,outside) tcp XX.XXX.XXX.252 www 172.22.1.49 www netmask 255.255.255.255
static (inside,outside) tcp XX.XXX.XXX.252 https 172.22.1.49 https netmask 255.255.255.255
static (inside,outside) tcp XX.XXX.XXX.252 8080 172.22.1.49 8080 netmask 255.255.255.255
static (inside,outside) tcp XX.XXX.XXX.247 www 172.22.1.40 www netmask 255.255.255.255
static (inside,outside) tcp XX.XXX.XXX.247 https 172.22.1.40 https netmask 255.255.255.255
static (inside,outside) tcp XX.XXX.XXX.253 www 172.22.1.87 www netmask 255.255.255.255
static (inside,outside) tcp XX.XXX.XXX.236 www 172.22.1.80 www netmask 255.255.255.255
static (inside,outside) tcp XX.XXX.XXX.250 www 172.22.1.86 www netmask 255.255.255.255
static (dmz,outside) XX.XXX.XXX.239 172.23.1.5 netmask 255.255.255.255
static (dmz,outside) XX.XXX.XXX.232 172.23.1.6 netmask 255.255.255.255
static (dmz,outside) XX.XXX.XXX.251 172.23.1.8 netmask 255.255.255.255
static (inside,outside) XX.XXX.XXX.228 172.22.1.7 netmask 255.255.255.255
static (inside,outside) 192.168.201.5 10.48.66.106 netmask 255.255.255.255
access-group dmz_access_in in interface dmz
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 XX.XXX.XXX.225 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server RemAuth protocol radius
aaa-server RemAuth host 172.22.1.10
 key 5ntmVPEn
 radius-common-pw 5ntmVPEn
group-policy NonRadiusAuth internal
group-policy NonRadiusAuth attributes
 wins-server value 172.22.1.10
 dns-server value 172.22.1.10 172.22.1.16
 vpn-tunnel-protocol IPSec webvpn
 ipsec-udp enable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Employees_splitTunnelAcl
 default-domain value blackfintech.com
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list value Employees_splitTunnelAcl
 default-domain none
 split-dns none
 intercept-dhcp 255.255.255.255 disable
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 nac disable
 nac-sq-period 300
 nac-reval-period 36000
 nac-default-acl none
 address-pools none
 client-firewall none
 client-access-rule none
 webvpn
  functions url-entry
  html-content-filter none
  homepage none
  keep-alive-ignore 4
  http-comp gzip
  filter none
  url-list none
  customization value DfltCustomization
  port-forward none
  port-forward-name value Application Access
  sso-server none
  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group
policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
  svc none
  svc keep-installer installed
  svc keepalive none
  svc rekey time none
  svc rekey method none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
group-policy Employees internal
group-policy Employees attributes
 wins-server value 172.22.1.10
 dns-server value 172.22.1.10 172.22.1.16
 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
 ipsec-udp enable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Employees_splitTunnelAcl
 default-domain value blackfintech.com
 webvpn
  svc enable
  svc keep-installer installed
  svc keepalive 300
  svc compression deflate
username trasa password xGMl98YmoDZ7OegC encrypted
username trasa attributes
 vpn-group-policy NonRadiusAuth
username jscherer password KLUUzdVJSQ665W8S encrypted privilege 15
username jscherer attributes
 vpn-group-policy NonRadiusAuth
username jason password 0lKTYzyPPKz5K7FP encrypted
username jason attributes
 vpn-group-policy Employees
username nbowdish password BMWB74aFLscyQZKS encrypted privilege 15
username nbowdish attributes
 vpn-group-policy NonRadiusAuth
http server enable
http 172.22.1.0 255.255.255.0 inside
http 192.168.87.0 255.255.255.0 management
snmp-server host inside 172.22.1.56 poll community blackfin
snmp-server location Main Office
snmp-server contact Trevor Robertson
snmp-server community blackfin
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto dynamic-map outside_dyn_map 1 match address outside_cryptomap_65535.1
crypto dynamic-map outside_dyn_map 1 set transform-set ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map outside_dyn_map 1 set reverse-route
crypto dynamic-map outside_dyn_map 13 set transform-set ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map outside_dyn_map 13 set reverse-route
crypto dynamic-map outside_dyn_map 14 match address outside_cryptomap_65535.14
crypto dynamic-map outside_dyn_map 14 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 14 set reverse-route
crypto dynamic-map outside_dyn_map 15 match address outside_cryptomap_65535.15
crypto dynamic-map outside_dyn_map 15 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 15 set reverse-route
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_65535.20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto dynamic-map outside_dyn_map 40 set transform-set TRANS_ESP_3DES_SHA
crypto dynamic-map outside_dyn_map 40 set reverse-route
crypto map outside_map 10 match address 100
crypto map outside_map 10 set peer 63.94.99.248
crypto map outside_map 10 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
crypto isakmp ipsec-over-tcp port 10000 500 1723
tunnel-group DefaultRAGroup general-attributes
 authorization-server-group LOCAL
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
 authentication pap
 authentication ms-chap-v2
 authentication eap-proxy
tunnel-group DefaultWEBVPNGroup general-attributes
 address-pool nomad
 authentication-server-group RemAuth
 authorization-server-group RemAuth
 default-group-policy Employees
tunnel-group DefaultWEBVPNGroup webvpn-attributes
 group-alias Nomad enable
tunnel-group emps type ipsec-ra
tunnel-group emps general-attributes
 address-pool nomad
 authentication-server-group RemAuth LOCAL
 default-group-policy Employees
tunnel-group emps ipsec-attributes
 pre-shared-key *
tunnel-group emps ppp-attributes
 authentication ms-chap-v2
tunnel-group 63.94.99.248 type ipsec-l2l
tunnel-group 63.94.99.248 ipsec-attributes
 pre-shared-key *
tunnel-group NonRadiusAuth type ipsec-ra
tunnel-group NonRadiusAuth general-attributes
 address-pool nomad
tunnel-group NonRadiusAuth ipsec-attributes
 pre-shared-key *
tunnel-group NonRadiusAuth ppp-attributes
 authentication ms-chap-v2
no vpn-addr-assign aaa
telnet 172.22.1.0 255.255.255.0 inside
telnet timeout 15
ssh 192.168.1.0 255.255.255.0 inside
ssh 172.22.1.0 255.255.255.0 inside
ssh 71.39.210.195 255.255.255.255 outside
ssh timeout 60
console timeout 0
management-access inside
dhcpd address 192.168.87.3-192.168.87.50 management
!
!
class-map ipsecpassthru-traffic
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect sqlnet
  inspect http
  inspect ftp
  inspect icmp
  inspect dns
  inspect ipsec-pass-thru
  inspect pptp
!
service-policy global_policy global
webvpn
 enable outside
 svc image disk0:/sslclient-win-1.1.3.173.pkg 1
 svc image disk0:/sslclient-win-1.1.1.164.pkg 2
 svc enable
 tunnel-group-list enable
smtp-server 172.22.1.7
prompt hostname context
Cryptochecksum:03879cd1ff99f7c3f6ff811e33f61069
: end
fishnet#
Natronic1977Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Robert Sutton JrSenior Network ManagerCommented:
CAn you tell us what change(s) you made? Also, with the error above was there any other information specified source:destination?
0
Natronic1977Author Commented:
Yes it says the source is it's public ip and the destination is the remote pptp server the pc is trying to to communicate to.
0
Robert Sutton JrSenior Network ManagerCommented:
Again, what did you change as stated in your inital posting? If anything, try pulling a copy of your startup config and current running config. Can you post both of them here in a text file?
0
Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

Natronic1977Author Commented:
I haven't changed anything in the config.  On the network I had changed the subnet from 255.255.252.0 to the standard 255.255.255.0  I still think it has something to do with that.  But I have hard coded the old subnet and still didn't work so i'm just lost.
0
Robert Sutton JrSenior Network ManagerCommented:
Im a bit confused.... You stated that you havent changed anything in the config of the Pix, then you stated that you changed subnet mask?? Would you kindly clarify that bit of information?
0
Natronic1977Author Commented:
I have added a new dhcp server 2008 dc and i'm giving out the 255.255.255.0 subnet now on the network.  I had also changed the subnet on the external address but i changed it back.  I don't know what else to tell you.  I'm stumped as to what is going on or why it's doing it now.  
0
Robert Sutton JrSenior Network ManagerCommented:
Can you do the follwing commands on the pix:

sh cry isa sa
sh cry ips sa
sh access-list

and post back here with the output please. Maybe I can assist you further if I have a better understanding of what was changed.

0
Natronic1977Author Commented:
Password: *********
fishnet# sh cry isa sa

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 216.161.140.131
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_ACTIVE
fishnet# sh cry ips sa
interface: outside
    Crypto map tag: outside_dyn_map, seq num: 13, local addr: XX.XXX.XXX.226

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (172.22.1.214/255.255.255.255/0/0)
      current_peer: 216.161.140.131, username: blackfin\pburdett
      dynamic allocated peer ip: 172.22.1.214

      #pkts encaps: 1998, #pkts encrypt: 1998, #pkts digest: 1998
      #pkts decaps: 2239, #pkts decrypt: 2239, #pkts verify: 2239
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 1998, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: XX.XXX.XXX.226/4500, remote crypto endpt.: 216.161.14
0.131/42088
      path mtu 1500, ipsec overhead 66, media mtu 1500
      current outbound spi: EBC25613

    inbound esp sas:
      spi: 0x2A3E8704 (708740868)
         transform: esp-des esp-sha-hmac
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 238, crypto-map: outside_dyn_map
         sa timing: remaining key lifetime (sec): 2936
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0xEBC25613 (3955381779)
         transform: esp-des esp-sha-hmac
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 238, crypto-map: outside_dyn_map
         sa timing: remaining key lifetime (sec): 2936
         IV size: 8 bytes
         replay detection support: Y

fishnet# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list outside_in; 38 elements
access-list outside_in line 1 remark spokane
access-list outside_in line 2 extended permit tcp any host XX.XXX.XXX.233 eq htt
ps (hitcnt=59) 0x56424368
access-list outside_in line 3 remark spokane
access-list outside_in line 4 extended permit tcp any host XX.XXX.XXX.233 eq 888
2 (hitcnt=0) 0x45eb5d1a
access-list outside_in line 5 remark dev (payette)
access-list outside_in line 6 extended permit tcp any host XX.XXX.XXX.230 eq www
 (hitcnt=1262) 0x1f2e9e66
access-list outside_in line 7 remark dev (payette)
access-list outside_in line 8 extended permit tcp any host XX.XXX.XXX.230 eq htt
ps (hitcnt=30) 0xb7c34a63
access-list outside_in line 9 remark selway
access-list outside_in line 10 extended permit tcp any host XX.XXX.XXX.227 eq 90
00 (hitcnt=2409) 0x5dbbc171
access-list outside_in line 11 remark snake
access-list outside_in line 12 extended permit tcp any host XX.XXX.XXX.228 eq sm
tp (hitcnt=3041) 0x86964ecd
access-list outside_in line 13 remark snake
access-list outside_in line 14 extended permit tcp any host XX.XXX.XXX.228 eq po
p3 (hitcnt=3660) 0xa19d62e7
access-list outside_in line 15 remark snake
access-list outside_in line 16 extended permit tcp any host XX.XXX.XXX.228 eq 99
5 (hitcnt=0) 0xd8020f06
access-list outside_in line 17 remark snake
access-list outside_in line 18 extended permit tcp any host XX.XXX.XXX.228 eq ww
w (hitcnt=406) 0xa9dcb6f8
access-list outside_in line 19 remark snake
access-list outside_in line 20 extended permit tcp any host XX.XXX.XXX.228 eq im
ap4 (hitcnt=0) 0xf1af840a
access-list outside_in line 21 remark snake
access-list outside_in line 22 extended permit tcp any host XX.XXX.XXX.228 eq ht
tps (hitcnt=63) 0xbf929f47
access-list outside_in line 23 remark Drupal W2k8
access-list outside_in line 24 extended permit tcp any host XX.XXX.XXX.231 eq ww
w (hitcnt=129) 0x6121247c
access-list outside_in line 25 remark spokane
access-list outside_in line 26 extended permit tcp any host XX.XXX.XXX.233 eq ww
w (hitcnt=2932) 0x6ff6e6e2
access-list outside_in line 27 remark sdead.sde.blackfintech.com
access-list outside_in line 28 extended permit tcp any host XX.XXX.XXX.234 eq ww
w (hitcnt=127) 0xb9597c2b
access-list outside_in line 29 remark sdead.sde.blackfintech.com
access-list outside_in line 30 extended permit tcp any host XX.XXX.XXX.234 eq ht
tps (hitcnt=21) 0x2afb42d8
access-list outside_in line 31 remark sdead.sde.blackfintech.com
access-list outside_in line 32 extended permit tcp any host XX.XXX.XXX.234 eq 44
4 (hitcnt=0) 0x797f783c
access-list outside_in line 33 remark stage64.blackfintech.com
access-list outside_in line 34 extended permit tcp any host XX.XXX.XXX.235 eq ww
w (hitcnt=1165) 0xffc917b7
access-list outside_in line 35 remark secure.blackfintech.com
access-list outside_in line 36 extended permit tcp any host XX.XXX.XXX.245 eq ww
w (hitcnt=125) 0x9d7a2baf
access-list outside_in line 37 remark secure.blackfintech.com
access-list outside_in line 38 extended permit tcp any host XX.XXX.XXX.245 eq ht
tps (hitcnt=32) 0x50fc522b
access-list outside_in line 39 remark jkaf
access-list outside_in line 40 extended permit tcp any host XX.XXX.XXX.236 eq ww
w (hitcnt=1186) 0xa8b3135b
access-list outside_in line 41 remark security dvr
access-list outside_in line 42 extended permit tcp any host XX.XXX.XXX.238 eq ww
w (hitcnt=133) 0x729329a1
access-list outside_in line 43 remark ns2
access-list outside_in line 44 extended permit tcp any host XX.XXX.XXX.239 eq do
main (hitcnt=22) 0xdcb23c06
access-list outside_in line 45 remark ns2
access-list outside_in line 46 extended permit udp any host XX.XXX.XXX.239 eq do
main (hitcnt=203556) 0xfd1b8291
access-list outside_in line 47 remark stage
access-list outside_in line 48 extended permit tcp any host XX.XXX.XXX.240 eq ww
w (hitcnt=745) 0xda048912
access-list outside_in line 49 remark mossstage
access-list outside_in line 50 extended permit tcp any host XX.XXX.XXX.241 eq ww
w (hitcnt=488) 0xcf939d53
access-list outside_in line 51 remark mossstage
access-list outside_in line 52 extended permit tcp any host XX.XXX.XXX.241 eq ht
tps (hitcnt=66) 0xb8735f8f
access-list outside_in line 53 remark mossprod1
access-list outside_in line 54 extended permit tcp any host XX.XXX.XXX.243 eq ww
w (hitcnt=390) 0x58dff6f2
access-list outside_in line 55 remark prima
access-list outside_in line 56 extended permit tcp any host XX.XXX.XXX.251 eq ww
w (hitcnt=126) 0xb3423e55
access-list outside_in line 57 remark crimson
access-list outside_in line 58 extended permit tcp any host XX.XXX.XXX.248 eq ww
w (hitcnt=129) 0x12c0ef35
access-list outside_in line 59 remark drupaldev
access-list outside_in line 60 extended permit tcp any host XX.XXX.XXX.249 eq ww
w (hitcnt=7560) 0x6671eb80
access-list outside_in line 61 remark claimscorp
access-list outside_in line 62 extended permit tcp any host XX.XXX.XXX.244 eq ww
w (hitcnt=355) 0x5849fa53
access-list outside_in line 63 remark bcconnect http
access-list outside_in line 64 extended permit tcp any host XX.XXX.XXX.252 eq ww
w (hitcnt=1942) 0xc819f0b
access-list outside_in line 65 remark bcconnect https
access-list outside_in line 66 extended permit tcp any host XX.XXX.XXX.252 eq ht
tps (hitcnt=30) 0x5736b84a
access-list outside_in line 67 remark bcconnect 8080
access-list outside_in line 68 extended permit tcp any host XX.XXX.XXX.252 eq 80
80 (hitcnt=239) 0xa580e188
access-list outside_in line 69 remark shakespeare
access-list outside_in line 70 extended permit tcp any host XX.XXX.XXX.247 eq ww
w (hitcnt=328) 0xf73c9c5d
access-list outside_in line 71 remark PTE
access-list outside_in line 72 extended permit tcp any host XX.XXX.XXX.250 eq ww
w (hitcnt=385) 0x585f6bbf
access-list outside_in line 73 remark SBI
access-list outside_in line 74 extended permit tcp any host XX.XXX.XXX.253 eq ww
w (hitcnt=239) 0x26a3ee18
access-list outside_in line 75 remark Shakespeare
access-list outside_in line 76 extended permit tcp any host XX.XXX.XXX.247 eq ht
tps (hitcnt=54) 0x83302074
access-list inside_nat0_outbound; 12 elements
access-list inside_nat0_outbound line 1 extended permit ip any 172.22.1.128 255.
255.255.128 (hitcnt=0) 0x88ac9a97
access-list inside_nat0_outbound line 2 extended permit ip object-group Blackfin
_Internal_Net 172.23.1.0 255.255.255.0 0x233cebcf
access-list inside_nat0_outbound line 2 extended permit ip 172.22.0.0 255.255.25
2.0 172.23.1.0 255.255.255.0 (hitcnt=0) 0x33d49cfd
access-list inside_nat0_outbound line 3 extended permit ip host 172.22.1.56 host
 10.99.100.120 (hitcnt=0) 0xcf651f0f
access-list inside_nat0_outbound line 4 extended permit ip host 172.22.1.57 host
 10.99.100.120 (hitcnt=0) 0xc619deac
access-list inside_nat0_outbound line 5 extended permit ip host 172.22.1.58 host
 10.99.100.120 (hitcnt=0) 0x45484a11
access-list inside_nat0_outbound line 6 extended permit ip host 172.22.1.59 host
 10.99.100.120 (hitcnt=0) 0xfc8b5ca4
access-list inside_nat0_outbound line 7 extended permit ip host 172.22.1.60 host
 10.99.100.120 (hitcnt=0) 0xa47ecb55
access-list inside_nat0_outbound line 8 extended permit ip host 172.22.1.61 host
 10.99.100.120 (hitcnt=0) 0x7a25260e
access-list inside_nat0_outbound line 9 extended permit ip host 172.22.1.62 host
 10.99.100.120 (hitcnt=0) 0x4b6c5b45
access-list inside_nat0_outbound line 10 extended permit ip host 172.22.1.63 hos
t 10.99.100.120 (hitcnt=0) 0x5083f401
access-list inside_nat0_outbound line 11 extended permit ip host 172.22.1.64 hos
t 10.99.100.120 (hitcnt=0) 0xfa716e30
access-list inside_nat0_outbound line 12 extended permit ip any 172.22.1.192 255
.255.255.192 (hitcnt=0) 0xc406a291
access-list Employees_splitTunnelAcl; 2 elements
access-list Employees_splitTunnelAcl line 1 standard permit 172.22.0.0 255.255.2
52.0 (hitcnt=0) 0x8989de44
access-list Employees_splitTunnelAcl line 2 standard permit 172.23.1.0 255.255.2
55.0 (hitcnt=0) 0x8d677daf
access-list dmz_access_in; 2 elements
access-list dmz_access_in line 1 remark definition of "DMZ"
access-list dmz_access_in line 2 extended deny ip 172.23.1.0 255.255.255.0 objec
t-group Blackfin_Internal_Net 0xa866eb68
access-list dmz_access_in line 2 extended deny ip 172.23.1.0 255.255.255.0 172.2
2.0.0 255.255.252.0 (hitcnt=478) 0x454e9199
access-list dmz_access_in line 3 extended permit ip 172.23.1.0 255.255.255.0 any
 (hitcnt=2864) 0xfcf16abe
access-list 100; 9 elements
access-list 100 line 1 extended permit ip host 172.22.1.56 host 10.99.100.120 (h
itcnt=8) 0x41b77379
access-list 100 line 2 extended permit ip host 172.22.1.57 host 10.99.100.120 (h
itcnt=0) 0x571c7e60
access-list 100 line 3 extended permit ip host 172.22.1.58 host 10.99.100.120 (h
itcnt=0) 0xd5832a54
access-list 100 line 4 extended permit ip host 172.22.1.59 host 10.99.100.120 (h
itcnt=0) 0x62769fe4
access-list 100 line 5 extended permit ip host 172.22.1.60 host 10.99.100.120 (h
itcnt=0) 0x9efa30d3
access-list 100 line 6 extended permit ip host 172.22.1.61 host 10.99.100.120 (h
itcnt=0) 0x1d5e1f66
access-list 100 line 7 extended permit ip host 172.22.1.62 host 10.99.100.120 (h
itcnt=0) 0x13e9e986
access-list 100 line 8 extended permit ip host 172.22.1.63 host 10.99.100.120 (h
itcnt=0) 0xe5901032
access-list 100 line 9 extended permit ip host 172.22.1.64 host 10.99.100.120 (h
itcnt=0) 0xe18c242f
access-list outside_cryptomap_65535.1; 1 elements
access-list outside_cryptomap_65535.1 line 1 extended permit ip 172.22.0.0 255.2
55.252.0 host 67.60.156.237 (hitcnt=0) 0xf1795c5
access-list outside_cryptomap_65535.14; 1 elements
access-list outside_cryptomap_65535.14 line 1 extended permit tcp any any eq ppt
p (hitcnt=196) 0xb1939271
access-list outside_cryptomap_65535.20; 1 elements
access-list outside_cryptomap_65535.20 line 1 extended permit udp any any eq isa
kmp (hitcnt=558) 0x17154167
access-list outside_cryptomap_65535.15; 1 elements
access-list outside_cryptomap_65535.15 line 1 extended permit udp any any eq 450
0 (hitcnt=679) 0x5e6c2c0e
access-list outside_cryptomap; 1 elements
access-list outside_cryptomap line 1 extended permit ip any 172.22.1.192 255.255
.255.192 (hitcnt=0) 0xb02e2238
fishnet#



0
Natronic1977Author Commented:
Ok I have since rebooted the ASA and i'm not getting the IKE error anymore.  On the computers trying to vpn are now getting error 800.
0
Robert Sutton JrSenior Network ManagerCommented:
Are they using SOHO routers from home with the same subnet as your VPN pool? Software firewall causing the problem? Too many concurrent connections?

Also have them check on their PC's:
right-click the VPN connection,
 Click “Properties”,
 Click the “Networking” tab
double-click “Internet Protocol Version 4 (TCP/IPv4)”,
 “Click Advanced…” button, and there is: “Use default gateway on remote network”. Uncheck this.
Click OK three times.

Let me know.
0
Natronic1977Author Commented:
They are not connecting from home.  They are inside the office behind the ASA 5510 trying to connect to clients VPN servers.
0
Natronic1977Author Commented:
The ASA is supposed to just be a pass through it's not the end point.  People can connect to ASA vpn  and connect to our network.
0
Robert Sutton JrSenior Network ManagerCommented:
You'll have to contact that client and have them check their FW logs/Settings.
0
Natronic1977Author Commented:
VPN from inside the network to outside networks used to work.   So i'm pretty sure it's us and not the clients FW settings
0
Robert Sutton JrSenior Network ManagerCommented:
Which one isnt working then...? Can you point out the client Ip from above in your config?
0
Natronic1977Author Commented:
I don't see that ip configured in the ASA but the ip is 64.94.117.115
0
Natronic1977Author Commented:
3      Jan 09 2012      06:34:54      713042                   IKE Initiator unable to find policy: Intf 1, Src: XX.XXX.XXX.226, Dst: 64.94.117.115
0
Robert Sutton JrSenior Network ManagerCommented:
You have to recreate the map from xxx.xxx.xxx.226 to 69.94.117.115.
Which is strange since you stated you didnt change anything on the ASA. So, someone must have changed it. Just to be safe what you can do is download this program below and install it. Use it to open and compare your startup-config to your CURRENT running config.
Startup config should be stored in your device flash. Running config can be pulled from a simple sh run command and copy and paste that into a text file.

http://www.grigsoft.com/wincmp-setup.zip

Let us know.
0
Natronic1977Author Commented:
I have fixed the issue.  It was a no longer used crypto map that was grabbing the incoming packets thinking it was the endpoint.  Once I deleted it everything started working again.  Thanks for your help.

Nathan
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Natronic1977Author Commented:
I fixed the issue myself
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.