Showing results for 
Search instead for 
Did you mean: 

5505 vpnclient

I have a few people who we distributed ASA 5505's to and configured vpnclient on them that connect to another ASA at the main site.  The setup works fine, all their connectivity seems to work when they initiate it.  However, after a while if we need to connect to the users machine over the vpn tunnel sometimes some subnets won't be able to connect out to them unless the user first initiates a connection (like a ping) from their home machine to ours or if we restart the vpn session.  We can connect form other subnets that the client talks to more often (like from the subnet the dns server is on) there any solution to this?  Here is th vpnclient config:

vpnclient server *****

vpnclient mode network-extension-mode

vpnclient nem-st-autoconnect

vpnclient vpngroup **** password *****

vpnclient username **** password *****

vpnclient enable


Cisco Employee

Unfortunately that is the downside of easy vpn as the first connection needs to be initiated from the client's end first before head end can access the client's side.

To be able to initiate traffic from either end of the VPN, you would need to configure static site-to-site vpn tunnel.


I thought in NEM the asa supported automatic tunnel initiation?  According to the doc:

"The ASA 5505 configured for NEM mode supports automatic tunnel initiation". 

Does that not mean what I think it does?


It is easy vpn, so the connection will always need to be initiated from the client side. The hub side can't initiate the connection towards the remote/client side.

When it says, "The ASA 5505 configured for NEM mode supports automatic tunnel  initiation", that means the ASA 5505 client side can automatically initiate the tunnel without manual tunnel initiation from the ASA end. But does not mean that the hub can initiate a tunnel towards the ASA 5505 client end.


I understand the hub can't initiate the connection, however I was under the impression that the ASA would automatically initiate the connection and maintain a constant connection...which would allow two way communication.  I guess that's not the case though.


If you want to use easyVPN but to have tunnel up always, you can use IP SLA on client ASA, and that way to periodically initiate tunnel. It's not the best solution, but I will work.

Content for Community-Ad