Site to Site VPN between C2921 and ASA5510

bc4switch · ‎06-26-2012

Help please!!

I setup site to site VPN between C2921 (site A) and ASA 5510 (site B). I am having problems with SA being deleted:

1: I can alwasy initiate VPN connection from Site B to Site A.

2: after VPN tunnel is up and idle for a while, SA is dropped and I lost VPN connection from Site A to Site B.

3: to get the connection back, I have to ping Site A from Site B

4: when the connection is established, it works fine!

What did I missed? Thanks.

Jennifer Halim · ‎06-26-2012

Do you have the isakmp keepalive configured?

Is site B outside interface IP address dynamic? If it's dynamic, then you can only initiate the VPN from site B, if it's static, then you should be able to initiate the VPN from both ends.

bc4switch · ‎06-26-2012

Site B outside Interface IP is static.

No, I don't have isakmp keepalive configured.

My problem now is that I can only initiate VPN from Site B; once the connnection is established, I can access site B from site A with no problem.

bc4switch · ‎06-26-2012

This issue is now resolved. A CISCO rep helped to point out that I set PFS on Site B, but not on site A. Everything worked as expected as soon as we took off the satement that sets PFS.

Thanks.