08-29-2015 04:07 PM - edited 03-05-2019 02:11 AM
I'm trying to enable site-to-site vpn on a cisco 5506-x. I'm getting an error I don't understand:
[ERROR] crypto ikev2 enable outside
Failed to open "udp/localized/2/4500"
ERROR: Error opening IKE port 4500 on Interface outside
Any ideas?
Thanks,
Greg
09-01-2015 02:27 AM
Do you have a PAT-rule that forwards udp/4500 to an internal system?
10-08-2015 10:50 AM
Hi Karsten, can you provide the CLI to accomplish your suggestion? Also, the reason I never use CLI is I'll issue a command and have no idea how to "undo" it -- whereas in a GUI you can simply delete it -- you can visually learn how to do something (i.e. it's intuitive) vs reading reading reading and having to remember every last bit of text. Not slamming CLI or anything, just shedding some light as to why I'm asking for an ASDM way to do it, or, if you happen to know the CLI command to fix this error. Thanks!
06-15-2016 03:07 PM
I had the same error and found out that I had mistakenly enabled IKEv2 for Site-to-Site VPN on the same interface. I unchecked that box and was then able to enable IKEv2 for VPN.
11-26-2015 09:55 AM
Hello Karsten,
Hope you are doing well, I'm facing the same issue with UDP:4500
Error: crypto ikev1 enable outside
failed to open "udp/localized/2/4500"
Error: Error opening IKE port 4500 on Interface outside
Besides this, I have a NAT rule that forward port 4500 from outside to the LAN (I'm using this rule for other stuff). As you raised the question, I was wondering if having the 4500 port forwarding configured is making the Site to Site VPN impossible and how can I get away with that.
Many thanks in advance
11-26-2015 10:21 AM
UDP/4500 is needed in IPsec for NAT-traversal. To make it work you have to move the functionality that uses udp/4500 now to a different public IP (if available) or to a different port.
10-08-2015 10:45 AM
Any resolution? I'm having the same issue. Brand new ASA 5506-X out of the box running ASA version 9.4(1). Ran the VPN wizard and get:
Error: crypto ikev1 enable outside
failed to open "udp/localized/2/4500"
Error: Error opening IKE port 4500 on Interface outside
Doesn't appear to be any help after searching online for quite some time. Also, I'm comparing against two other Cisco ASA 5505's and don't see any references to port 500 or 4500 in the access rules or NAT.
Where/what to check? Also, if you can somehow reference where to look in ASDM that would be greatly appreciated. No CLI experience here...
Even more frustrating that such an error message can exist, but cannot be googled/binged/whatever.
10-19-2015 01:57 PM
ggilley@gerg.org, did you ever figure this out? Would appreciate an update.
Thanks.
10-23-2015 08:30 AM
I also have an AT&T microcell on my network.
I set up a device VPN to my iPhone and that worked. It seemed to clear up the site-to-site problem (or the microcell got into a better state, not sure which).
Anyway, I'm finally up and running.
Greg
10-21-2015 01:28 PM
For me, it was this: https://supportforums.cisco.com/discussion/12627556/error-opening-ike-port-4500-interface-outside#comment-10872731
I found an AT&T MICROCELL on our network and after unplugging it and running "clear xlate" a few times, the VPN wizard completed w/out any errors.
09-21-2016 11:26 AM
I made it so I could run the clear xlate and the commands for this fast enough the device couldn't rewrite it. Here's what I did for mine. I added clear xlate every other line. I opened ASDM then went to tools, chose command line. I selected multiple line option. I put the commands in like this and it worked.
clear xlate
! write client profile "disk0:/AnyconnectVPN_client_profile.xml" to ASA
clear xlate
webvpn
anyconnect profiles AnyconnectVPN_client_profile disk0:/AnyconnectVPN_client_profile.xml
exit
clear xlate
crypto ikev2 enable Outside client-services port 443
clear xlate
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide