I have a few people who we distributed ASA 5505's to and configured vpnclient on them that connect to another ASA at the main site. The setup works fine, all their connectivity seems to work when they initiate it. However, after a while if we need to connect to the users machine over the vpn tunnel sometimes some subnets won't be able to connect out to them unless the user first initiates a connection (like a ping) from their home machine to ours or if we restart the vpn session. We can connect form other subnets that the client talks to more often (like from the subnet the dns server is on)...is there any solution to this? Here is th vpnclient config:
vpnclient server *****
vpnclient mode network-extension-mode
vpnclient vpngroup **** password *****
vpnclient username **** password *****
Unfortunately that is the downside of easy vpn as the first connection needs to be initiated from the client's end first before head end can access the client's side.
To be able to initiate traffic from either end of the VPN, you would need to configure static site-to-site vpn tunnel.
I thought in NEM the asa supported automatic tunnel initiation? According to the doc:
"The ASA 5505 configured for NEM mode supports automatic tunnel initiation".
Does that not mean what I think it does?
It is easy vpn, so the connection will always need to be initiated from the client side. The hub side can't initiate the connection towards the remote/client side.
When it says, "The ASA 5505 configured for NEM mode supports automatic tunnel initiation", that means the ASA 5505 client side can automatically initiate the tunnel without manual tunnel initiation from the ASA end. But does not mean that the hub can initiate a tunnel towards the ASA 5505 client end.
I understand the hub can't initiate the connection, however I was under the impression that the ASA would automatically initiate the connection and maintain a constant connection...which would allow two way communication. I guess that's not the case though.
If you want to use easyVPN but to have tunnel up always, you can use IP SLA on client ASA, and that way to periodically initiate tunnel. It's not the best solution, but I will work.