Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Initiator unable to find policy: Intf external

Status
Not open for further replies.

mktck

Technical User
Feb 9, 2009
31
SG
Hi,

An IPSec tunnel is established between ASA5505 and ASA5520. Phase 1 and 2 are both completed.

I am able to ping the 'Internal' interface IP of the ASA5520 from the laptop connected to E0/1 of ASA 5505, but I get "Destination Host Unreachable" when I ping a Server connected on an unmanaged switch which is inturn, connected to E0/1 of the ASA5520. I am also able to telnet into the ASA 5520 from the laptop connected to ASA 5505.

I am able to ping ASA 5505 'Inside' interface and the laptop from the 'Internal' interface of ASA 5520 using the 'Ping Internal <ASA 5505 IP>' command.

I am getting the following error at the ASA5520 side when i try to ping 172.17.0.2:

3 Aug 18 2009 00:39:50 713042 IKE Initiator unable to find policy: Intf external, Src: 172.17.0.1, Dst: 63.237.x.x

The following is my crypto map so far:
================================================
crypto map gigabitether1_map 40 match address internal_1_cryptomap
crypto map gigabitether1_map 40 set pfs
crypto map gigabitether1_map 40 set peer 172.17.0.40
crypto map gigabitether1_map 40 set transform-set ESP-3DES-SHA
crypto map gigabitether1_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map gigabitether1_map interface internal
crypto map external_map 50 match address external_1_cryptomap
crypto map external_map 50 set pfs
crypto map external_map 50 set peer 63.237.x.x
crypto map external_map 50 set transform-set ESP-3DES-SHA
crypto map management_map 1 match address external_cryptomap
crypto map management_map 1 set peer 38.104.x.x 62.73.x.x
crypto map management_map 1 set transform-set ESP-3DES-SHA
crypto map management_map 2 match address external_2_cryptomap
crypto map management_map 2 set pfs
crypto map management_map 2 set peer 67.148.x.x
crypto map management_map 2 set transform-set ESP-3DES-SHA
crypto map management_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map management_map interface external
crypto map management_map interface management
crypto ca trustpoint ASDM_TrustPoint0
=======================================================

Could the error be due to issues from my crypto map? noticed management_map have 2 differet tunnels.
 
Here is the full error line:

IKE Initiator unable to find policy: Intf external, Src: 172.17.0.1, Dst: 63.237.x.x
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top