Cisco ASA: Error opening IKE port 4500 on Interface outside

This issue had me going for a bit because it started happening on a working production unit after public IP address changed. After updating all the proper VPN setting with new IP address a working tunnel would not establish for some unknown reason. Initiating side would display a message stating that none of IKE configured settings matched remote peer and receiving side (where IP changed) had no messages at all. Since error pointed out the issue is with IKE I’ve tried disabling and re-enabling IKE on outside interface (receiving end) and received the following error message.

ASA# crypto ikev1 enable outside
ERROR: Failed to open “udp/localized/2/4500”
ERROR: Error opening IKE port 4500 on Interface outside
[IKEv1]IKE Receiver: IO port create request for intf 2(outside)
[IKEv1]IKE Receiver: IO port exists on intf 2(outside), checking for delayed delete timer
[IKEv1]IKE Receiver: device udp/localized/2/500 successfully opened
[IKEv1]IKE Receiver: device udp/localized/v6/2/500 successfully opened

Based on output something was holding on to port UDP/4500. I’ve grepped xlate for 4500 and found that some private IP was PATed to outside IP on port UPD/4500 causing issues with IKE.

ASA# show xlate | i 4500
UDP PAT from any:<privateIP >/4500 to outside:<outsideIP>/4500 flags ri idle 0:05:50 timeout 0:00:30

Clearing xlate did not fix the issue so I had to remove PAT rule.

Removing PAT rules will impact production traffic

After removing PAT you need to clear xlate again and re-enable IKE on outside interface. You should see successful log messages this time.

ASA# crypto ikev1 enable outside
[IKEv1]IKE Receiver: IO port exists on intf 2(outside), checking for delayed delete timer
[IKEv1]IKE Receiver: device udp/localized/2/500 successfully opened
[IKEv1]IKE Receiver: device udp/localized/v6/2/500 successfully opened
[IKEv1]IKE Receiver: device udp/localized/2/4500 successfully opened
[IKEv1]IKE Receiver: device udp/localized/v6/2/4500 successfully opened
[IKEv1]IKE Receiver: IO port create request for intf 2(outside)
[IKEv1]IKE Receiver: IO port exists on intf 2(outside), checking for delayed delete timer

On receiving end debug will start showing IKE packet exchange and tunnel will come up. Reapply PAT and verify connectivity.

 

4 comments On Cisco ASA: Error opening IKE port 4500 on Interface outside

Leave a reply:

Your email address will not be published.

Site Footer

Sliding Sidebar