I have a site to site VPN tunnel to customer.
We are using cisco 7206 and customer side ASA is installed.
Tunnel is up and working fine , it will only be coming up when customer initiate the traffic their side we are not able to do.
Customer requires that is has to done from our side only.
We don't have any such policy or restriction at our side that remote will be the imitator.
How we can make it possible that tunnel will come up when we will initiate the traffic from our side .
Please suggest if this can be done or only they can do it as they are using ASA at this will work as more trusted device that can initiate the traffic.
What does your side config look like? Ideally for a static site to site tunnel both sides should be able to initiate tunnels and send encrypted traffic after that.
Hi Rahul ,
Thanks for your reply
As I have mentioned that is a site to site crypto VPN.
We have a static route for remote source IP towards our next hop ( i.e. to our service provider)
When they telnet from their side tunnel went up and they can communicate but when we initiate traffic tunnel is not coming up.
01. try to initiate the traffic from your side & to check # show crypto isakmp sa
02. either as do debug the command at ASA #debug crypto ikev1/ikev2 127
share the logs.
Thanks to everybody for the valuable inputs.
Issue is resolved now , I have advised to customer to allow the UDP packets on ASA and now the tunnel can be established from both sides.
I was referring to a "static" site to site vpn tunnel where both sides have static ip addresses and remote peer is manually set. If this is the case, both sides should be able to initiate traffic.
Attach the sanitized config if you have it with you.