Showing results for 
Search instead for 
Did you mean: 

can't enable vpn on cisco 5506-x

I'm trying to enable site-to-site vpn on a cisco 5506-x. I'm getting an error I don't understand:


[ERROR] crypto ikev2 enable outside
     Failed to open "udp/localized/2/4500" 
ERROR: Error opening IKE port 4500 on Interface outside


Any ideas?




Karsten Iwen
VIP Mentor

Do you have a PAT-rule that forwards udp/4500 to an internal system?

Hi Karsten, can you provide the CLI to accomplish your suggestion? Also, the reason I never use CLI is I'll issue a command and have no idea how to "undo" it -- whereas in a GUI you can simply delete it -- you can visually learn how to do something (i.e. it's intuitive) vs reading reading reading and having to remember every last bit of text. Not slamming CLI or anything, just shedding some light as to why I'm asking for an ASDM way to do it, or, if you happen to know the CLI command to fix this error. Thanks!

I had the same error and found out that I had mistakenly enabled IKEv2 for Site-to-Site VPN on the same interface.  I unchecked that box and was then able to enable IKEv2 for VPN.

Hello Karsten,

Hope you are doing well, I'm facing the same issue with UDP:4500

Error: crypto ikev1 enable outside

failed to open "udp/localized/2/4500"

Error: Error opening IKE port 4500 on Interface outside

Besides this,  I have a NAT rule that forward port 4500 from outside to the LAN (I'm using this rule for other stuff). As you raised the question, I was wondering if having the 4500 port forwarding configured is making the Site to Site VPN impossible and how can I get away with that.

Many thanks in advance

UDP/4500 is needed in IPsec for NAT-traversal. To make it work you have to move the functionality that uses udp/4500 now to a different public IP (if available) or to a different port.

Any resolution? I'm having the same issue. Brand new ASA 5506-X out of the box running ASA version 9.4(1). Ran the VPN wizard and get:


Error: crypto ikev1 enable outside

failed to open "udp/localized/2/4500"

Error: Error opening IKE port 4500 on Interface outside


Doesn't appear to be any help after searching online for quite some time. Also, I'm comparing against two other Cisco ASA 5505's and don't see any references to port 500 or 4500 in the access rules or NAT.

Where/what to check? Also, if you can somehow reference where to look in ASDM that would be greatly appreciated. No CLI experience here...

Even more frustrating that such an error message can exist, but cannot be googled/binged/whatever.


Beginner, did you ever figure this out? Would appreciate an update.


I also have an AT&T microcell on my network.

I set up a device VPN to my iPhone and that worked. It seemed to clear up the site-to-site problem (or the microcell got into a better state, not sure which).

Anyway, I'm finally up and running.



For me, it was this:

I found an AT&T MICROCELL on our network and after unplugging it and running "clear xlate" a few times, the VPN wizard completed w/out any errors.


I made it so I could run the clear xlate and the commands for this fast enough the device couldn't rewrite it. Here's what I did for mine. I added clear xlate every other line. I opened ASDM then went to tools, chose command line. I selected multiple line option. I put the commands in like this and it worked.

clear xlate
! write client profile "disk0:/AnyconnectVPN_client_profile.xml" to ASA
clear xlate
anyconnect profiles AnyconnectVPN_client_profile disk0:/AnyconnectVPN_client_profile.xml
clear xlate
crypto ikev2 enable Outside client-services port 443
clear xlate