cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
16692
Views
36
Helpful
10
Replies

Error opening IKE port 4500 on Interface outside

Brand new Cisco ASA 5506-X. Ran the VPN wizard. At the end, all is "OK" except an error:

 

Error: crypto ikev1 enable outside

failed to open "udp/localized/2/4500"

Error: Error opening IKE port 4500 on Interface outside

 

Come someone help me with this? Provide a fix? No CLI experience here. If you suggest creating a rule, please explain how to do that.

 

Thank you.

10 Replies 10

JeremysCisco
Level 1
Level 1

We have also been stuck with this for quite some time. Nothing online or in the manual, and I saw in your other post (about the same question) that yes, it is unbelievable an error message can exist and not be "googled", at least in 2015 it is unbelievable. But, like most things today, they "protect" the real goods behind 3-rd party re-sellers and make you pay additional money to fix something, when the info/answer should be google-able to begin with. We switched to Meraki and things "just worked"; the GUIs are much better (even though the intuition is still somewhat lacking -- Cisco owns them, so no surprise there).

I made it so I could run the clear xlate and the commands for this fast enough the device couldn't rewrite it. Here's what I did for mine. I added clear xlate every other line. I opened ASDM then went to tools, command line. I selected multiple line. I put the commands in like this and it worked.

 

***EDIT*** Keep in mind if you do "clear xlate", any host using a dynamic session will drop/disconnect. Static translation will stay connected.

 

clear xlate
! write client profile "disk0:/AnyconnectVPN_client_profile.xml" to ASA
clear xlate
webvpn
anyconnect profiles AnyconnectVPN_client_profile disk0:/AnyconnectVPN_client_profile.xml
exit
clear xlate
crypto ikev2 enable Outside client-services port 443
clear xlate

 

 

And that's how the cookie crumbles! you sir are in the ZONE!
Thank you!

That was a frustrating day! That's why I posted this hoping to save someone the headache I went through. Glad it helped you. In my case, it was Meraki AP's causing the issue and I couldn't just disconnect them. They ended up using a different port and the VPN is still working fine to this day. 

Thank you. Had a similar problem and looking at your example helped me.

 

clear xlate
crypto ikev1 enable outside
clear xlate

Just in case people dont know, I learned the hard way that "clear xlate" will kill all current NAT connections, kicking everyone off the internet. Made this mistake just now, kicked about 500 users off, whoops. So be sure to run this not during production.

Thanks for the tip! From ASDM, I was able to send the multi-command-

clear xlate

crypto ikev1 enable {insert your interface name}

Well, not only is this embarrassing, but very, very hard to believe. After running "sh xlate" and searching for "4500" in the results, I found an IP address on our network associated with port 4500 -- even though there were no port forwards of any kind on our new router for 4500, a GOD DAMN AT&T MICROCELL was preventing me from completing the Cisco VPN wizard?! Anyway.... I unplugged the microcell, ran "clear xlate" (a few times as it didn't seem to disappear after running the first clear xlate command), and the VPN wizard completed w/out any errors.

SanthoshKumarM
Level 1
Level 1

This Never worked for us.

We removed the related acl, nat and cleared the connection table for 4500 and 500.

 

And then pasted the below to make it work. Ensure you do it in non-production hours

 

 clear xlate
crypto ikev2 enable Outside
clear xlate

 

how to do this in FMC?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: