Hi,

Both were set already (extract from config - minus the specific IPs)

crypto map outside_map 1 match address internet_cryptomap_2

crypto map outside_map 1 set peer x.x.x.xOLDVPNPEER_IP

crypto map outside_map 7 match address internet_cryptomap_7

crypto map outside_map 7 set peer x.x.x.xNEWVPNPEER_IP

tunnel-group x.x.x.xNEWVPNPEER_IP type ipsec-l2l

tunnel-group x.x.x.xNEWVPNPEER_IP ipsec-attributes

pre-shared-key *

isakmp keepalive disable

tunnel-group x.x.x.xOLDVPNPEER_IP type ipsec-l2l

tunnel-group x.x.x.xOLDVPNPEER_IP ipsec-attributes

pre-shared-key *

isakmp keepalive disable

Only thing I can see - is the lower value of a cryptomap for the old peer. If I remove the old peer entry, and recreate it, it still receives the cryptomap_2. ASA btw.

Thanks

Brian

Hello Brian,

Did you tried to remove old crypto map, or assign a lower priority (higher number) to it?

Best Regards,

Eugene

Hi Eugene,

I removed both entries old IP entry/crypto map and new IP entry/crypto - I then re-created a new profile using the higher priority (lower number) for the new IP address. Its now got cryptomap_2 but still the same issue.

I ran debug on the firewall and saw the following entry associated with traffic from the new ip

713042

Error Message    %PIX|ASA-3-713042: IKE Initiator unable to find policy: Intf

interface_number, Src: source_address, Dst: dest_address

Explanation    This message indicates that the IPSec fast path processed a packet that triggered IKE, but IKE's policy lookup failed. This error could be timing related. The ACLs that triggered IKE might have been deleted before IKE processed the initiation request. This problem will most likely correct itself.

Explanation    If the condition persists, check the L2L configuration, paying special attention to the ACLs associated with crypto maps.

thanks for your help with this ! I've been pulling my hair out over it the last few days !

Just to update this further - on the tunnel policy for the new IP - I added in the 2nd peer of the old IP address. and now all is working. The customer has assured me the old IP is disconnected at their side, so I can only assume somewhere the ASA is getting very confused !

Can you show runnning-config.

Also try to clear crypto session.

Best Regards,

Eugene

Hi Eugene,

I'd rather not post the config as its 1000s lines long.

I've ran the clear crypto ipsec & clear crypto isakmp. This morning a 2nd VPN connection is having the same issue is the log

%ASA-3-713042: IKE Initiator unable to find policy: Intf 
interface_number, Src: source_address, Dst: dest_address

The IPsec fast path processed a packet that triggered IKE, but the IKE        policy lookup failed. This error may be timing related. The ACLs that        triggered IKE might have been deleted before IKE processed the        initiation request. This problem will most likely correct itself.

However we have another p2p vpn with another party, and they are having no issues. As of right now, i have 3 active IPSEC vpns. 1 is working fine - bytes Tx & bytes Rx both in the 1000s. However the other 2 VPNs, only have Bytes Rx.

The ACLs for both permit the required traffic, NAT rules are setup, infact both of these were working previously and as such nothing as changed regarding NAT or ACLs. so I can only assume something somewhere is gone out of sync.

Hello, you can do a packet-tracer, and/or take captures, without configs it is quite difficult tasks to troubleshoot

Best Regards,

Eugene

hopefully this all makes sense ! extract of the config etc, and packet tracer output

ABCCOMPANY = specific addresses on my side

ABCCOMPANY_IPSEC = ABCCOMPANY's addresses

access-list transit_outbound_nat0_acl extended permit ip object-group ABCCOMPANY_Access_Group ABCCOMPANY_IPSEC 255.255.255.0

access-list inside_nat0_outbound extended permit ip object-group ABCCOMPANY_Access_Group ABCCOMPANY_IPSEC 255.255.255.0

access-list internet_access_in extended permit tcp ABCCOMPANY_IPSEC 255.255.255.0 object-group ABCCOMPANY_Access_Group object-group RemoteDesktop

access-list internet_access_in extended permit tcp ABCCOMPANY_IPSEC 255.255.255.0 object-group ABCCOMPANY_Access_Group_SLS object-group RemoteDesktop

access-list internet_cryptomap_7 extended permit ip object-group DM_INLINE_NETWORK_28 ABCCOMPANY_IPSEC 255.255.255.0

crypto map outside_map 7 match address internet_cryptomap_7

crypto map outside_map 7 set peer x.x.x.x

crypto map outside_map 7 set transform-set ESP-3DES-MD5

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key *

isakmp keepalive disable

When I do a packetrace on first access-list - I get

# packet-tracer input internet tcp ABCCOMPANY_IPSEC 1065 machine6 3389 x$

1

ACCESS-LIST

ALLOW

Implicit Rule

MAC Access list

2

FLOW-LOOKUP

ALLOW

Found no matching flow, creating a new flow

3

ROUTE-LOOKUP

input

ALLOW

in   172.16.0.0      255.255.0.0     inside

4

ACCESS-LIST

log

ALLOW

access-group internet_access_in in interface internet

access-list internet_access_in extended permit tcp ABCCOMPANY_IPSEC 255.255.255.0 object-group ABCCOMPANY_Access_Group object-group RemoteDesktop

access-list internet_access_in remark bg added

object-group network ABCCOMPANY_Access_Group

network-object host machine1

network-object host machine2

network-object host machine3

network-object host machine4

network-object host machine5

network-object host machine6

object-group service RemoteDesktop tcp

description: RemoteDesktop

port-object eq 3389

5

CONN-SETTINGS

ALLOW

class-map internet-class

match any

policy-map internet-policy

class internet-class

  set connection conn-max 0 embryonic-conn-max 10000 random-sequence-number enable

  set connection timeout tcp 1:00:00 dcd 0:15:00 5 embryonic 0:00:30 half-closed 0:10:00

        DCD: enabled, retry-interval 0:15:00, max-retries 5

        DCD: client-probe 0, server-probe 0, conn-expiration 0

service-policy internet-policy interface internet

6

IP-OPTIONS

ALLOW

7

VPN

ipsec-tunnel-flow

ALLOW

8

FOVER

standby-update

ALLOW

9

NAT-EXEMPT

rpf-check

ALLOW

10

NAT

rpf-check

ALLOW

nat (inside) 1 172.16.0.0 255.255.0.0

  match ip inside 172.16.0.0 255.255.0.0 internet any

    dynamic translation to pool 1 (MyExternalIP [Interface PAT])

    translate_hits = 45568755, untranslate_hits = 2335945

11

NAT

host-limits

ALLOW

nat (inside) 1 172.16.0.0 255.255.0.0

  match ip inside 172.16.0.0 255.255.0.0 outside any

    dynamic translation to pool 1 (No matching global)

    translate_hits = 0, untranslate_hits = 0

12

IP-OPTIONS

ALLOW

13

VPN

encrypt

DROP

internet

up

up

inside

up

up

drop

(acl-drop) Flow is denied by configured rule