Skip to main content

Problem with VPN ASA 5520

More
15 years 6 months ago #30458 by r0nni3
Hey all,

I have a weird problem with a VPN i have to configure.
All the config is correct and the VPN is up and running (so it seems).

I do get inbound traffic but no outbound when i look in the ASDM i get the following syslog message:
%ASA-3-713042: IKE Initiator unable to find policy: Intf
outside, Src: 172.23.1.12, Dst: 10.100.3.115

I have never seen this problem before and Cisco advises to check the access-lists but these are correct. Has any one experienced this problem before ? and if so what did you do to fix it ?

Ill post the bits of the config that matter here:
[code:1]
access-list nonat extended permit ip host 172.23.1.12 10.100.2.0 255.255.255.0
access-list nonat extended permit ip host 172.23.1.12 10.100.3.0 255.255.255.0
nat (inside) 0 access-list nonat
access-list VPNordina extended permit ip host 172.23.1.12 10.100.2.0 255.255.255.0
access-list VPNordina extended permit ip host 172.23.1.12 10.100.3.0 255.255.255.0
crypto map remote 10 match address VPNordina
crypto map remote 10 set peer 81.XXX.XXX.XXX
crypto map remote 10 set transform-set standaard


2 IKE Peer: 81.XXX.XXX.XXX
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE


local ident (addr/mask/prot/port): (172.23.1.12/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (10.100.2.0/255.255.254.0/0/0)
current_peer: 81.XXX.XXX.XXX

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 99, #pkts decrypt: 99, #pkts verify: 99
[/code:1]

Thanks in advance!

Currently working as Cisco Engineer at Neon-Networking.

Certifications:
CCNA - Have it
CCNA Security - Have it
CCSP - Almost!!!!
CCIE Security - Not so far away dream
More
15 years 6 months ago #30466 by Blake
Replied by Blake on topic Re: Problem with VPN ASA 5520
Can you post a sanitized config?
More
15 years 6 months ago #30490 by ramasamy
Hi,

The firewall you are checking is a responder. You need to check the access-list on the peer device (Initiator) as the error message is from Initiator.
More
15 years 6 months ago #30501 by r0nni3
Well the problem was at the other side...they messed up their access-list. They reconfigured the access-list and the tunnel worked perfectly.
This is exactly the reason why i dont like making VPN tunnels with a 3rd party. >.<

Currently working as Cisco Engineer at Neon-Networking.

Certifications:
CCNA - Have it
CCNA Security - Have it
CCSP - Almost!!!!
CCIE Security - Not so far away dream
Time to create page: 0.130 seconds