02-03-2011 04:38 AM - edited 03-11-2019 12:44 PM
Hi ,
I have ASA 5505 with base license and IOS version is 7.2(4). I configured both site to site vpn and Remote Access VPN. Site to Site VPN is working fine and also Remote access vpn tunnel came up, remote user got IP address from the firewall.
But the problem is remote user unable to ping the local users.
While watcing the logs it shows: " IKE initiator unable to find the policy: Src "
Below i am attaching the configuration of my firewall.
your response was appreciated....
Regards,
Janardhan
Solved! Go to Solution.
02-04-2011 11:09 AM
Hi Janardhan,
Create an access list for site to site crypto traffic :-
access-list crypto_one extended permit ip 192.168.8.0 255.255.255.0 192.168.0.0 255.255.252.0
Then change :-
crypto map abcmap 1 match address nonat
crypto map abcmap 1 set peer X.X.X.X
crypto map abcmap 1 set transform-set FirstSet
to :-
crypto map abcmap 1 match address crypto_one
crypto map abcmap 1 set peer X.X.X.X
crypto map abcmap 1 set transform-set FirstSet
reply the crypto Map , this will cause a little blip in the site to site , so make sure you do it with little downtime.
Keep everything else the same and Let us know if this works for you.
Manish
02-05-2011 12:09 AM
Hi ,
Create an access list for site to site crypto traffic :-
access-list crypto_one extended permit ip 192.168.8.0 255.255.255.0 192.168.0.0 255.255.252.0
Then change :-
crypto map abcmap 1 match address nonat
crypto map abcmap 1 set peer X.X.X.X
crypto map abcmap 1 set transform-set FirstSet
to :-
crypto map abcmap 1 match address crypto_one
crypto map abcmap 1 set peer X.X.X.X
crypto map abcmap 1 set transform-set FirstSet
You will keep everything as it is in you configuration, then add the Access list mentioned above and make that minor change in the crypto map. Then remove and reapply the crypto map.
As mentioned earlier in the post that the packets are not leaving the asa , that was because the return traffic for remote vpn was getting qualified as L2L , that is the reason I have created a seprate ACL for identify the SITE to SITE traffic and doesnot mix it with RVPN.
Manish
02-03-2011 04:50 AM
Hi Janardhan,
1. Please change your pool ip. Make it different to than the local network of the firewall. say 10.10.10.0/24 inorder to avoid routing issues.
2. Please include the traffic from local network to the pool ip in the nonat access-list. This is done to exempt the traffic from natting.
i.e. access-list nonat permit ip 192.168.8.0 255.255.255.0 10.10.10.0 255.255.255.0
3. Include a route on the Layer 3 device for the pool ip in your internal network i.e. traffic for the pool ip should be directed to ASA inside interface on L3 devices in the internal network.
Let me know how it goes.
Regards,
Anisha
P.S.: please mark this thread as resolved if you feel your query is answered.
02-03-2011 06:32 AM
Hi Anisha,
Thanz for ur reply.
My network is very simple. My layer 2 devices are directly connected to the
firewall. No L3 devices are used in my network.
So i thought no route is needed.
And as you said, i changed loca pool as 10.10.10.0/24
Below are the statements i added to the ASA 5505
ip local pool RPOOL 10.10.10.1-10.10.10.10 mask 255.255.255.0
access-list RAVPN_splitTunnelAcl standard permit 10.10.10.0 255.255.255.0
access-list nonat extended permit ip 192.168.8.0 255.255.255.0 10.10.10.0
255.255.255.0
For your reference i am attaching the config and out for show crypto ipsec
sa.
Regards,
Janardhan
On Thu, Feb 3, 2011 at 4:50 AM, andamani <
02-03-2011 07:39 AM
Hi Janardhan,
Please do the following:
no access-list RAVPN_splitTunnelAcl standard permit 10.10.10.0 255.255.255.0
access-list RAVPN_splitTunnelAcl standard permit 192.168.8.0 255.255.255.0
management-access inside
clear cry isa sa
clear cry ipsec sa
Try and ping the inside network. And let us know the updates.
Regards,
Anisha
P.S.: please mark this thread as resolved if you feel your query is resolved.
02-03-2011 11:23 AM
Hi Anisha,
Appreciated your quick response.
I done what you said, but still having the same problem.
i studied some document for the same problem, they given solution as below.
Created two seperate ACLs for Remote access vpn(Ravpn) and Site to Site VPN
(nonat) as shown below. And applied Ravpn acl to the nat (inside) 0.
So i done the same thing.
Then Remote access VPN working fine but site to site was down.
Please go through below confguration.
access-list Ravpn extended permit ip 192.168.8.0 255.255.255.0 10.10.10.0
255.255.255.0
access-list nonat extended permit ip 192.168.8.0 255.255.255.0 192.168.0.0
255.255.252.0
nat (inside) 0 access-list Ravpn
Regards,
Janardhan
On Thu, Feb 3, 2011 at 9:09 PM, andamani <
02-03-2011 11:36 AM
Hi J,
It should be :-
From :-
access-list Ravpn extended permit ip 192.168.8.0 255.255.255.0 10.10.10.0
255.255.255.0
access-list nonat extended permit ip 192.168.8.0 255.255.255.0 192.168.0.0
255.255.252.0
nat (inside) 0 access-list Ravpn
to :-
access-list nonat extended permit ip 192.168.8.0 255.255.255.0 10.10.10.0
255.255.255.0
access-list nonat extended permit ip 192.168.8.0 255.255.255.0 192.168.0.0
255.255.252.0
nat (inside) 0 access-list nonat
Manish
02-03-2011 08:26 PM
HI Manish,
Thanks for your reply....
I done the same thing........
But it shows the same problem....
While showing the log fie it shows... " IKE initiator Unable to find the
Policy"
Regards,
Janardhan
On Thu, Feb 3, 2011 at 11:36 AM, manisharora111 <
02-03-2011 09:34 PM
Hi Janardhan,
Please enable the following debugs and post the outputs here.
1. debuig cry isa 127
2. debug cry ips 127
Initiate the traffic
Paste the outputs of the debugs and also give the output of
1. sh cry isa sa
2. sh cry ips sa
Regards,
Anisha
02-03-2011 09:42 PM
Hi Anisha,
Here is error what i am getting while pinging from the client.
3 Feb 03 2011 22:08:03 713042 IKE Initiator unable to find policy: Intf
outside, Src: 192.168.8.200, Dst: 10.10.10.1
Currently MY ASA in live for Site to Site VPN.
Is it good doing debug while in LiVE????
If it is ok i will do the debug..
Regards,
Janardhan
On Thu, Feb 3, 2011 at 9:34 PM, andamani <
02-03-2011 11:13 PM
02-03-2011 09:44 PM
Hi Manish,
This is the error what i getting in log file...
3 Feb 03 2011 22:08:03 713042 IKE Initiator unable to find policy: Intf
outside, Src: 192.168.8.200, Dst: 10.10.10.1
Regards,
Janardhan
On Thu, Feb 3, 2011 at 11:36 AM, manisharora111 <
02-03-2011 09:46 PM
Hi janardhan,
You can enable debug only for a peer. i guess that will be ok.
please connect the IPSEC ra vpn.
do a sh cry isa sa on the ASA and paste here
I will let you know which debugs you should enable.
Regards,
Anisha
02-03-2011 11:32 PM
02-04-2011 01:02 AM
HI Anisha,
Is there any update???
Regards,
Janardahn
02-04-2011 07:05 AM
Hi Janardhan,
The debugs are showing that the packets are reaching the ASA but the reply is not going back to the Client.
Are you sure there is no layer there device present on the inside of the ASA?
Please run the packet tracer and paste the output of the same:
packet-tracer in inside icmp 192.168.8.1 8 0 10.10.10.1 det
Also capture the packet on the inside interface.
here are the commands you need for capture of the packet:
access-list capi permit ip 192.168.8.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list capi permit ip 10.10.10.0 255.255.255.0 192.168.8.0 255.255.255.0
capture capin interface inside access-list capi buffer 33554430
Connect the VPN and try ping the 192.168.8.0 from the client. paste the output of the following command:
sh cap capin.
Regards,
Anisha
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: