This issue had me going for a bit because it started happening on a working production unit after public IP address changed. After updating all the proper VPN setting with new IP address a working tunnel would not establish for some unknown reason. Initiating side would display a message stating that none of IKE configured settings matched remote peer and receiving side (where IP changed) had no messages at all. Since error pointed out the issue is with IKE I’ve tried disabling and re-enabling IKE on outside interface (receiving end) and received the following error message.
ASA# crypto ikev1 enable outside
ERROR: Failed to open “udp/localized/2/4500”
ERROR: Error opening IKE port 4500 on Interface outside
[IKEv1]IKE Receiver: IO port create request for intf 2(outside)
[IKEv1]IKE Receiver: IO port exists on intf 2(outside), checking for delayed delete timer
[IKEv1]IKE Receiver: device udp/localized/2/500 successfully opened
[IKEv1]IKE Receiver: device udp/localized/v6/2/500 successfully opened
Based on output something was holding on to port UDP/4500. I’ve grepped xlate for 4500 and found that some private IP was PATed to outside IP on port UPD/4500 causing issues with IKE.
ASA# show xlate | i 4500
UDP PAT from any:<privateIP >/4500 to outside:<outsideIP>/4500 flags ri idle 0:05:50 timeout 0:00:30
Clearing xlate did not fix the issue so I had to remove PAT rule.
Removing PAT rules will impact production traffic
After removing PAT you need to clear xlate again and re-enable IKE on outside interface. You should see successful log messages this time.
ASA# crypto ikev1 enable outside
[IKEv1]IKE Receiver: IO port exists on intf 2(outside), checking for delayed delete timer
[IKEv1]IKE Receiver: device udp/localized/2/500 successfully opened
[IKEv1]IKE Receiver: device udp/localized/v6/2/500 successfully opened
[IKEv1]IKE Receiver: device udp/localized/2/4500 successfully opened
[IKEv1]IKE Receiver: device udp/localized/v6/2/4500 successfully opened
[IKEv1]IKE Receiver: IO port create request for intf 2(outside)
[IKEv1]IKE Receiver: IO port exists on intf 2(outside), checking for delayed delete timer
On receiving end debug will start showing IKE packet exchange and tunnel will come up. Reapply PAT and verify connectivity.
5 comments On Cisco ASA: Error opening IKE port 4500 on Interface outside
If you clear both xlate and conn, you will be able to enable ikev1 without deleting PAT. All operations should be done very quickly.
May need to try this but don’t want to disable pat. Do you think clearing xlate and conn is a better way to go?
Right, keyword is very quickly!
Stoyan Mishinev was right on! i pasted clear xlate, clear conn, and crypto ikev1 enable outside quickly and the VPN came right up!
That works for me as well.