Options
Need a little help with this ASA debug..
Netstudent
Member Posts: 1,693 ■■■□□□□□□□
|Mar 03 2008|09:22:10|713042|||IKE Initiator unable to find policy: Intf outside, Src: 192.168.80.161, Dst: 10.39.157.1
|10.39.157.1||Denied ICMP type=8, code=0 from 10.39.157.1 on interface outside
||IKE Initiator unable to find policy: Intf outside, Src: 192.168.80.161, Dst: 10.39.157.1
|10.39.157.1||Denied ICMP type=8, code=0 from 10.39.157.1 on interface outside
|||IKE Initiator unable to find policy: Intf outside, Src: 192.168.80.161, Dst: 10.39.157.1
|10.39.157.1||Denied ICMP type=8, code=0 from 10.39.157.1 on interface outside
|10.39.158.106|192.168.80.161|Teardown ICMP connection for faddr 10.39.158.106/512 gaddr 192.168.80.161/0 laddr 192.168.80.161/0
|10.39.158.106|192.168.80.161|Built ICMP connection for faddr 10.39.158.106/512 gaddr 192.168.80.161/0 laddr 192.168.80.161/0
|||IKE Initiator unable to find policy: Intf outside, Src: 192.168.80.161, Dst: 10.39.157.1
|10.39.157.1||Denied ICMP type=8, code=0 from 10.39.157.1 on interface outside
|||Group = x.x.x.x, IP = x.x.x.x, PHASE 2 COMPLETED (msgid=cc185055)
|||IPSEC: An inbound LAN-to-LAN SA (SPI= 0xC490AEA1) between x.x.x.x and x.x.x.x (user= x.x.x.x) has been created.
||Group = x.x.x.x, IP = x.x.x.x, Security negotiation complete for LAN-to-LAN Group (x.x.x.x) Responder, Inbound SPI = 0xc490aea1, Outbound SPI = 0x800b4c73
|||IPSEC: An outbound LAN-to-LAN SA (SPI= 0x800B4C73) between x.x.x.x and x.x.x.x (user= x.x.x.x) has been created.
|||Group = x.x.x.x, IP = x.x.x.x, PHASE 1 COMPLETED
|||AAA retrieved default group policy (DfltGrpPolicy) for user = x.x.x.x|||Group = x.x.x.x, IP = x.x.x.x, Freeing previously allocated memory for authorization-dn-attributes
Ok So I have this VPN built. When I try to ping across the VPN, everything get negotiated and keyed. I get passed phase2 and then it denies my ping. I don;t think it is a policy that is denying my ping because I can ping this remote site with another VPN that is already etsablished with a Checkpoint.
here I am pinging from the 10.39.157 network to the 192.168.80.160 network and it;s denied. I can ping the 192 network from a 10.39.158 network that is the inside of my checkpoint which is a different VPN link. My policies in the remote site ASA that defines ICMP allows all from the 10.39/16.
So does this look like a security policy issue or a IKE policy issue? I got issues. :P
Thanks.
EDIT:
I figured it out. I had 2 crypto maps with 2 different sequence numbers. The other crypto map was for the checkpoint. Well I made the crypto map for the checkpoint higher than my new crypto map. As soon as the new map took a lower sequence number, walla.
|10.39.157.1||Denied ICMP type=8, code=0 from 10.39.157.1 on interface outside
||IKE Initiator unable to find policy: Intf outside, Src: 192.168.80.161, Dst: 10.39.157.1
|10.39.157.1||Denied ICMP type=8, code=0 from 10.39.157.1 on interface outside
|||IKE Initiator unable to find policy: Intf outside, Src: 192.168.80.161, Dst: 10.39.157.1
|10.39.157.1||Denied ICMP type=8, code=0 from 10.39.157.1 on interface outside
|10.39.158.106|192.168.80.161|Teardown ICMP connection for faddr 10.39.158.106/512 gaddr 192.168.80.161/0 laddr 192.168.80.161/0
|10.39.158.106|192.168.80.161|Built ICMP connection for faddr 10.39.158.106/512 gaddr 192.168.80.161/0 laddr 192.168.80.161/0
|||IKE Initiator unable to find policy: Intf outside, Src: 192.168.80.161, Dst: 10.39.157.1
|10.39.157.1||Denied ICMP type=8, code=0 from 10.39.157.1 on interface outside
|||Group = x.x.x.x, IP = x.x.x.x, PHASE 2 COMPLETED (msgid=cc185055)
|||IPSEC: An inbound LAN-to-LAN SA (SPI= 0xC490AEA1) between x.x.x.x and x.x.x.x (user= x.x.x.x) has been created.
||Group = x.x.x.x, IP = x.x.x.x, Security negotiation complete for LAN-to-LAN Group (x.x.x.x) Responder, Inbound SPI = 0xc490aea1, Outbound SPI = 0x800b4c73
|||IPSEC: An outbound LAN-to-LAN SA (SPI= 0x800B4C73) between x.x.x.x and x.x.x.x (user= x.x.x.x) has been created.
|||Group = x.x.x.x, IP = x.x.x.x, PHASE 1 COMPLETED
|||AAA retrieved default group policy (DfltGrpPolicy) for user = x.x.x.x|||Group = x.x.x.x, IP = x.x.x.x, Freeing previously allocated memory for authorization-dn-attributes
Ok So I have this VPN built. When I try to ping across the VPN, everything get negotiated and keyed. I get passed phase2 and then it denies my ping. I don;t think it is a policy that is denying my ping because I can ping this remote site with another VPN that is already etsablished with a Checkpoint.
here I am pinging from the 10.39.157 network to the 192.168.80.160 network and it;s denied. I can ping the 192 network from a 10.39.158 network that is the inside of my checkpoint which is a different VPN link. My policies in the remote site ASA that defines ICMP allows all from the 10.39/16.
So does this look like a security policy issue or a IKE policy issue? I got issues. :P
Thanks.
EDIT:
I figured it out. I had 2 crypto maps with 2 different sequence numbers. The other crypto map was for the checkpoint. Well I made the crypto map for the checkpoint higher than my new crypto map. As soon as the new map took a lower sequence number, walla.
There is no place like 127.0.0.1 BUT 209.62.5.3 is my 127.0.0.1 away from 127.0.0.1!