Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
342
Views
0
Helpful
1
Replies

Can the VPN3000 initiate a LAN-to-LAN tunnel?

sslokey
Level 1
Level 1

‎11-23-2002 10:41 PM - edited ‎03-09-2019 01:10 AM

I have a VPN3000 (ver 3.5) at the hub site with PIX 501's deployed remotely. Remote sites can bring up a tunnel without any problem. Once the tunnel is up traffic can be initiated by either side and there's full connectivity.

When the tunnel drops only traffic from the remote site can bring it back up. With PIX's or routers it doesn't matter where the traffic starts from but the VPN3k seems to care. This seems like basic functionality to me so I can't believe it doesn't do it. What's the secret?

Thanks

Labels:
0 Helpful
1 Reply 1

gfullage
Cisco Employee
Cisco Employee

‎11-24-2002 04:27 PM

Make sure your ACL's (or local and remote networks in the 3000) are the exact opposite of each other. Then make sure your Phase 1 lifetime is the same on all devices (check what IKE Proposal the L2L tunnel is using, then check the lifetime for that proposal under the IKE Proposals section).

Other than that, clear the log on the 3000, try and bring up the tunnel and see what it says. If you enable the IKE, IKEDBG, IPSEC and IPSECDBG event classes at Severity to Log of 1-13, then you'll get a bunch more info, feel free to paste it back in here and we can check it out.

0 Helpful
Customers Also Viewed These Support Documents