https://community.cisco.com/t5/network-security/vpn-tunnel-will-only-intiate-from-one-end/m-p/877487#M955613 <HTML><HEAD></HEAD><BODY><P>Martin</P><P></P><P>In my experience there are several things that can result in the symptom that the tunnel can initiate from one end but not from the other:</P><P>- it may be that one end has a dynamically learned (and subject to change) IP address and the other end is configured to accept connection requests from any address and authenticate to determine if it is a legitimate peer. In this situation the peer with the dynamic address can initiate the tunnel but not the other peer.</P><P>- it may be that there is a mismatch between the peers about what is interesting traffic which can initiate the tunnel (perhaps echo request or echo response is included on one but not on the other).</P><P></P><P>If you get to phase 2 and fail I suspect it is the mismatch issue. Perhaps you can post the appropriate sections of both configs.</P><P></P><P>HTH</P><P></P><P>Rick</P></BODY></HTML> Mon, 04 Feb 2008 12:53:03 GMT Richard Burts 2008-02-04T12:53:03Z https://community.cisco.com/t5/network-security/vpn-tunnel-will-only-intiate-from-one-end/m-p/877486#M955612 <P>Hi</P><P></P><P>I have a lan to lan VPN setup with 2 cisco pix 515e. One of the firewalls is in the uk and the other is in France. I can intiate the tunnel from France by pinging an IP address in the UK. If I ping France from the UK the tunnel fails at phase 2. Any idea why this is?</P><P></P><P>Thanks</P><P></P><P>Martin</P> Mon, 11 Mar 2019 11:58:41 GMT https://community.cisco.com/t5/network-security/vpn-tunnel-will-only-intiate-from-one-end/m-p/877486#M955612 lord_studley 2019-03-11T11:58:41Z https://community.cisco.com/t5/network-security/vpn-tunnel-will-only-intiate-from-one-end/m-p/877487#M955613 <HTML><HEAD></HEAD><BODY><P>Martin</P><P></P><P>In my experience there are several things that can result in the symptom that the tunnel can initiate from one end but not from the other:</P><P>- it may be that one end has a dynamically learned (and subject to change) IP address and the other end is configured to accept connection requests from any address and authenticate to determine if it is a legitimate peer. In this situation the peer with the dynamic address can initiate the tunnel but not the other peer.</P><P>- it may be that there is a mismatch between the peers about what is interesting traffic which can initiate the tunnel (perhaps echo request or echo response is included on one but not on the other).</P><P></P><P>If you get to phase 2 and fail I suspect it is the mismatch issue. Perhaps you can post the appropriate sections of both configs.</P><P></P><P>HTH</P><P></P><P>Rick</P></BODY></HTML> Mon, 04 Feb 2008 12:53:03 GMT https://community.cisco.com/t5/network-security/vpn-tunnel-will-only-intiate-from-one-end/m-p/877487#M955613 Richard Burts 2008-02-04T12:53:03Z https://community.cisco.com/t5/network-security/vpn-tunnel-will-only-intiate-from-one-end/m-p/877488#M955614 <HTML><HEAD></HEAD><BODY><P>Thanks for the information. I can't get the configuration of the PIX in France as the tunnel is currently down. That PIX has a DHCP address on it's outside interface but it is connected to an ADSL router that has a fixed external IP address. That external address is the address the PIX in the UK looks for as a peer. </P><P></P><P>Would the DHCP outside interface make a difference? </P></BODY></HTML> Tue, 05 Feb 2008 09:39:40 GMT https://community.cisco.com/t5/network-security/vpn-tunnel-will-only-intiate-from-one-end/m-p/877488#M955614 lord_studley 2008-02-05T09:39:40Z https://community.cisco.com/t5/network-security/vpn-tunnel-will-only-intiate-from-one-end/m-p/877489#M955615 <HTML><HEAD></HEAD><BODY><P>Martin</P><P></P><P>If you can not get to the config of the PIX in France, then the config of the PIX in the UK would be a good starting point.</P><P></P><P>I am having some difficulty in getting my head around how it would work for a PIX to have a DHCP address on its outside interface and to configure peering using the fixed address of the ADSL router. But I am wondering if this falls into the category that I described as one side has a dynamic address.</P><P></P><P>HTH</P><P></P><P>Rick</P></BODY></HTML> Thu, 07 Feb 2008 05:03:58 GMT https://community.cisco.com/t5/network-security/vpn-tunnel-will-only-intiate-from-one-end/m-p/877489#M955615 Richard Burts 2008-02-07T05:03:58Z