Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1091
Views
0
Helpful
5
Replies

ASA dymaic crypto role intiator / responder problem

jorge_cortez
Level 1
Level 1

‎03-15-2017 05:59 AM

hi,

can anyone help me, im building a VPN  site to site between ASA and Meraki (dynamic crypto map), so te firewall is configured to wait for vpn request from everywhere, the vpn builds fine and I can have a ping from the branch (meraki site), but if i try to initiate the ping from the central site (asa site) it doesn't responde until I initiate a ping from the meraki side, so its looks like something about the initiator and responder role in the vpn configuration, actually the cisco asa has the responder role in the crypto.

What can I do to permit my communication from the central site to the branch without the need to send a ping from the branch?

regards

Jorge Cortez

Labels:
0 Helpful
5 Replies 5

jorge_cortez
Level 1
Level 1

‎03-15-2017 06:23 AM

BTW the vpn tunnel is active and i have communication between other networks (the ones that the branch office initiate), but there is one network that the branch office desn´t initiate and that is where i have the problem (the sys admin networks Who needs to remote desktop the branch office server)

0 Helpful

Karsten Iwen
VIP
VIP

‎03-15-2017 07:03 AM

Do you have a static IP on the Branch/Meraki side? Then you can configure it as a static crypto map which can be initiated from both sides.

If you only have a dynamic IP on the Brach-side, then you have to make sure that something from that side is permanently sending traffic.

0 Helpful

jorge_cortez
Level 1
Level 1
In response to Karsten Iwen

‎03-15-2017 07:14 AM

thank you Karsten, so its the normal behaviour? the tunnel is initiated and i have SA (show ipsec sa), but only in the networks that the remote side send traffic to the central office, but for the network where the sysadmin is trying to remote desktop the server i don't see the network in the show ipsec sa until I send a ping from the branch office to that network.

0 Helpful

Karsten Iwen
VIP
VIP
In response to jorge_cortez

‎03-15-2017 07:20 AM

Yes, the ASA is only the responder if configured with a dynamic crypto map.

0 Helpful

jorge_cortez
Level 1
Level 1
In response to Karsten Iwen

‎03-15-2017 07:35 AM

thank you I thought that initiator / responder role was important only for the phase 1, but now I see that also take action in the phase 2 communication right? that`s because as i told you the vpn is up and running for some networks but not for other where the initiation has not begin from the meraki side

0 Helpful
Customers Also Viewed These Support Documents