Cisco VPN :: IKE Initiator Unable To Find Policy / ASA5505
Apr 29, 2012
I am testing VPN tunnels in a lab. I have the following (simple) setup:
-one ASA5505 has an "inside" interface with address 192.16.99.40/24 and an "outside" interface with address 205.192.0.2/24
-one computer with address 192.16.99.1/24 ("Client") is connected to the "inside" interface
-one ASA5510 has an "inside" interface with address 192.0.99.40/24 and an "outside" interface with address 205.192.0.1/24
-one computer with address 192.0.99.1/24 ("Server") is connected to the "inside" interface
-both "outside" interfaces are connected through a layer 2 switch
I had a VPN tunnel between them using "Main mode", and that worked without a problem.But in my target system, the ASA5505 will be connected to a router with a dynamic IP address, and so I need to use "Aggressive mode", where the ASA5510 will have a static address on the "outside" interface. The ASA5505 will therefore initiate the VPN session.
I am using the ASDM, by the way.I have the VPN tunnel established, but I am unable to ping from either side.When I ping the Server from the Client, the ASA5505 gives me the expected "Built/Teardown ICMP connection...", but the ASA5510 says "IKE Initiator unable to find policy: Intf inside, Src: 192.0.99.1, Dst: 192.16.99.1". So the ping makes it to the Server, but the reply can't find its way back out.When I ping the client from the Server, I get the same message on the ASA5510: "IKE Initiator unable to find policy: Intfc inside, Src: 192.0.99.1, Dst: 192.16.99.1".I attach the configuration on the ASA5510.
I keep getting this on a site to site VPN tunnel that I have established to one of our remote offices. EVERYTHING works fine except for the phones. Everytime they try to connect I get a flood of the below error3Nov 01 201116:06:38IKE Initiator unable to find policy: Intf DS3, Src: 10.90.4.6, Dst: 10.10.20.2010.90.4.0 is our phones vla10.10.20.0 is the remote site network .20 is one of the ip phones located thereried running it through packet tracer and get this...I'm not sure where the problem is, as I said ALL domain traffic is flowing back and forth with no issues.
I've tried to set up IPSec over TCP with a VPN-Client V5.0.07.0440 on Win 7 64b to my ASA 5520 (Version 8.2(2)16) regarding to
[URL]
IPSec over TCP activated at the ASA crypto isakmp ipsec-over-tcp port 10000
and in the transport tap of the VPN connection 'enable transport tunneling' with IPSec over TCP an port 10000 instead of 'IPSec over UDP' The connect timed out with error code 412 And this is my log from the ASA:
%ASA-7-710005: TCP request discarded from 178.x.x.x/53225 to INTERNET:212.x.x.x/10000 %ASA-3-713042: IKE Initiator unable to find policy: Intf INTERNET, Src: 212.x.x.x, Dst: 178.x.x.x %ASA-7-710005: TCP request discarded from 178.x.x.x/53225 to INTERNET:212.x.x.x/10000 %ASA-3-713042: IKE Initiator unable to find policy: Intf INTERNET, Src: 212.x.x.x, Dst: 178.x.x.x
I don't have a clue what's here missing.I have static crypto maps for the L2L tunnels and the default dynamic crypto map for the VPN clients which come over NAT-T
crypto map INTERNET_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 match address INTERNET_cryptomap_65535.65535 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
I have a dynamic VPN site to site between ASA 5510 vs C880 with segment 172.23.191.0/25 for ASA side and some host in C880 side (e.g. 128.1.100.211, 128.1.115.181, 128.1.104.212) . The VPN is up, but only have communication with a host (128.1.115.181).
In the logs appears the next message when I try communication for all aother IP in the policy map configuration: IKE Initioator unable to find policy: Intf Inside, Src: 172.23.191.87, Dst: 128.1.115.182..ONLY WHEN I PINGING FROM SOME HOST IN C880 SIDE (e.g. 128.1.100.211) the communication is successfull.
What happen with this VPN, because I need to pinging from C880 IP host to ASA segment for establish communication?
I set up a full mesh LAN-to-LAN VPN for a client with 4 sites. Each site has an ASA 5505 running 8.2(5). Site-to-site VoIP traffic runs in the VPN tunnels, as well as traffic to/from a file-server located at the main site. There are two back-up servers, one at the main site and one at a remote site. The main site has 2 bonded T1s and the other three sites have a single T1. How should I go about setting up my QoS?
My top requirement is that VoIP traffic will never be pushed out of the way for data traffic. My secondary consideration is to give more preference to file-server traffic than to web traffic and to make back-up traffic the least important. I'm currently researching to see if the VoIP provider is DSCP marking EF on the VoIP traffic, but I am going to assume they are for now. I know the IP of the file-server and back-up servers.
Class and Policy maps are defined properly but when I am going to apply the policy-map on interface ,throwing an error as "'set' command is not supported in a 2nd level policymap".
Class/Policy map configuration given below ....
class-map match-any cm_traffic_control match access-group name acl_traffic_control class-map match-any BE match access-group name be [Code] ....
i have a Layer3 Switch Cisco WS-c3750G -24T , initially i have a IOS version c3750-Ipbase , recentely i have upgraded my IOS to c3750-Ipservices-M to enable to PBR for my network , i have created all the acl and tried to give the route-map with PBR , the command was initiallying but i am not able to see the applied route-map in my policy route , i have gone through the blog and enabled SDM prefer routing , but no luck .
I'm unable to apply a policing limit in a switchport of the CISCO861 router. This is my configuration:interface FastEthernet0, service-policy input wired-input,service-policy output wired-output end.
Unfortunately, it does not appear as if the SRP500 series will allow you to create an ipsec policy where the local or remote traffic selection is 0.0.0.0/0.0.0.0. It wants a specific network. I have a scenario where I want to send all traffic over the vpn tunnel.
Is there a workaround to this or a special way to input "ANY" as the remote network?
I am not able to configure Service policy output command in Cisco 2921 router.While configuring I am getting below error.Same config is working fine in Cisco 3845 router.I am suspectting the problem with license in IOS.
Here is my configuration below , i have upgraded my C-3750 switch IOS from IPbase to IPservices , after upgrading i have tried to apply PBR on my Vlan 4 and failed , when i am tying to apply route-map to Vlan4 the command was taking but i am unable to see the route-map when sh run , i am giving the command as "ip policy route-map TTSL" in my Vlan4 , below is the configuration.
In Vlan2 i have connected one ISP and Vlan4 I have connected one ISP , my local subnets are 192.168.1.x and 192.168.2.x , now i want to route the 192.168.1.x traffic from Vlan2 and 192.168.2.x Traffic from Vlan4 .
sh boot coreswitch#sh boot BOOT path-list : flash:c3750-ipservices-mz.122-35.SE5/c3750-ipservices-mz.122-35.SE5.bin
I have a Server 2008 server and a Synology DS1511+ Nas.The goal is to make an iSCSI connection from the Synology to the Server 2008 server. However, I am having an issue. I set this all up two weeks ago. For two weeks it was all running fine. Now, my iSCSI drive is dropping daily. And everytime I go into the iSCSI initiator and click anything, the server still allows me to do some things, but it basically locks up. I can't restart, services stop responding, etc... The only was I can break it out of that is a hard reset. Why iSCSI initiator keeps taking down my entire server to the point of hard restart? Once this is solved, I bet the iSCSI dropping daily will be solved as well. I have already talked with Synology, the log is producing nothing and they are suspicious that it has been running fine the past two weeks. Windows update is off (I manually do it during scheduled maintenance), and there is no av or firewall running, so rule those out.
We are using SRP527 routers with PPPoE ADSL connections. From the SRP527 we create an IPSec tunnel to our core routers (Cisco ASR). We are wanting to change the IPSec tunnels to L2TP, and I need to know if this can be done from the SRP527. I cannot find any L2TP configuration options in the setup options.Can the SRP527W act as an L2TP tunnel initiator over the ADSL PPPoE interface?
Recently, I have bought an ASA 5505 firewall which I have tried to connect to my ADSL router (Modem).It is now more than a week that I am trying to get internet connection through the firewall but I still can't succeed. I have tried many advices I get from this community but I still don't know what is wrong with my ASA Firewall configuration. From inside I am able to ping the inside and outside interface with a great success. and from my laptop which is connected to the firewall, I am able to ping the both interfaces (inside and outside) but still I can't access the internet.
As I don't have a static IP address from my ISP, I have configured the outside interface to pick up the ip address dynamically. Most of the time, the outside interface get the 192.168.1.2 ip address. [code]
I've been struggling with gaining access to the inter through our Comcast business gateway. We have had Comcast configure the device fro true static IP subnetting. Turned of local DHCP on the device etc. Here is my config.
However, whenever I try and run the ASDM client, I get the following error:
"Your ASA image has a version number 8.4(4)1 which is not supported by ASDM 6.2(1)."
How do I get the latest version installed on my Mac desktop? I know that I can connect via the web interface and run the ASDM client, but the same error persists. I have the asdm-649-103.bin file, but cannot connect to the ASA to install (I don't recall ever setting up SSH).
I have an unusual issue, for which I can find nothing on the net similar.
Setup:
ASA5505 = > CISCO3524 => Windows 2012 server
ASA is internet edge with ACL / NAT implemented.
We are wanting to implement inbound NATs for this server - 3389. We have many other servers on the internal side of this ASA that we are NATing to. Creating NATs using the same outside IP to another server is fine, no issues. This other test server resides on the same VLAN as the windows 2012 server. All IPv6 is turned off on the W2012 server, and it can web-browse out via the ASA as well. No matter what I do, however I cannot get iinbound NAT, on ANY port to this server working. Internally from another server to this server on any port is fine, i.e. we can RDP to this server without issue, so we know this works - the firewall on this server is turned off too. This is our ONLY w2012 server on the internal side. When we run a wireshark on the server whilst testing the NAT there is no traffic, so its getting blocked somewhere.
The config of the ASA is fairly big to to santize it and remove all customer reference would take a while to make display of this secure difficult.
I have an ASA5505 running ver 8.0(2). I have configured the ssh timeout, ssh host commands and did the crypt o key gen. I am unable to access the device from the host I am allowing. Is there like ca save all command required? I am trying to use the default pix and telnet password. Do those still work?
Ths only hapeens at one location. All the other locations are working the difference is this location goes through the firewall. If I bypass the firewall at this location it works.
I have CAT-5e cabling running from ceiling to floor and need to enclose this as it's quite an eye-sore. I am looking for a 10' x 4" x 4" vertical enclosure but cannot seem to find any unit that is >84".
I have my downstairs PC (Windows Vista 64 bit) conncted to a Belkin router. model F5D7632-4. This works without any problems.Upstairs, my son has a PC (Windows XP) that connects via a Belkin USB G Network Adapter, model F5D7050, version 4.000uk. This worked perfectly, too.He has just got a new PC which I have bought from a friend. My friend used the tower of a previous PC my son had, which had died about 4 years back when the PSU blew and took everything out with it, and fitted the motherboard, graphics card, HDD, RAM etc etc (it uses Windows 7).
I downloaded the latest drivers from the Belkin site, installed them, but for the life of me, the new PC will not detect the network connection. At all. It doesn't find anything.So, I unplugged my PC from the router, and plugged the new PC into it. Unsurpisingly, it connected to the net without any problems. The next thing I did was to reconnect my PC to the router, and try my son's new PC wirelessly again with the Network Adaptor, in the same room. Again, it just doesn't find a network at all.The PC detects the Adapter being plugged in and out, and the light is on on it. I even tried his old PC with the Adapter, and that still finds the network perfectly.
I was on the phone to Belkin for 35 mins yesterday, and they went through everything, to no avail. They think the USB slots may be faulty, even though the PC knows when i'm plugging things into them.
I have a laptop that won't find any networks, it did work a few days ago now it's just randomly stopped.Things I've tried;
-Changing the wireless to different channels. -System restore to a few days before. -Check and restarted the wzc serice mutiple times. -Check the drivers are ok.
Recently, I have found out that my laptop is unable to find any networks. I started using what I believe to be an ethernet cable to connect my laptop to the internet because it was faster than wireless. But when I removed the cable and try to connect wirelessly, the computer states that there are no wireless networks in range. I know the wireless adapter is broadcasting because my sister can connect wirelessly to the internet. My WiFi is on, but I can't find any networks.
A week ago I accidently clicked the disable icon on wireless network connection on the bottom right icon on my PC screen. I quickly reversed this but now for some reason, all the wireless networks that are around me cannot be picked up on my Phillips Freevents Windows XP.it was able to pick up two wireless connections and now, not even a trace of one. The other laptops in the house can pick up the wireless connections so I know its working.The internet works when the box is connected to the computer but I need the box in another room so wireless is essential.
i am having real issues with my printer, i have a network of 3 computers and it was attached to a printer that worked fine, i then changed the printer for a new one and i am now unable to find this printer on my network. i have installed drivers on the computers. how do i find the printer. the network works fine with everything else.
I have load CISCO-ENVMON-MIB and initiate walk in it but unable to find OID of Cisco 2960 temperature monitor. I have search over net and found .1.3.6.1.4.1.9.9.13.1.3.1.3.1 for temperature but this OID is not responding in this mib.
My internet comes to D-link 655 wireless router from there I have wired connection, one of the connection goes to a switch from this switch I connect wired devices in my office.Another connection from D-link 655 router goes to another wireless router in my living room which is a Linksys router. My few devices and a laptop connects to this router.My problem is I am not able to see the devices connected to my Linksys router from my office devices
