Showing results for 
Search instead for 
Did you mean: 

Can only start SA between two spokes from one of the spokes

I have an ASA as a hub for multiple VPN connections.  In this case I have users coming into either IPSEC or SSL VPN's terminating on this ASA.  They are able to reach anything except for one site.  This site (other spoke) is configured on the ASA for dynamic IPSEC VPN.  This remote site is an 1800 router on a DSL line.

If I ping from the VPN clients to the remote site internal network I get no response and the IPSEC SA does not start up for that subnet to subnet.  If I ping from the remote site to an internal location it works fine and the IPSEC SA is up and active for that traffic.  If I ping from the remote site to a VPN user it takes a second but then brings up the correct IPSEC SA for that traffic as well.  Once that's active I can ping from the VPN client to the remote site.

What's going on here that I can't establish that IPSEC SA from the VPN clients and yet once the SA is active it works fine?



If the SAs for the dynamic site are up, you should be able to send traffic from the VPN clients.

I'm not sure if this is the problem, but could be that when the VPN client is sending traffic to the remote dynamic site, there's no SA up for that traffic.

When you need to create an SA against a dynamic site, the SA needs to be established from the dynamic site (not the other way around).

Check the following:

When sending traffic from the VPN clients to the remote site, do you have an IPsec SA for the IPs between the VPN clients and the remote site?

Otherwise, when you initiate traffic from the remote site, and now you can send traffic from the VPN client, do you see now an SA between the remote site and the VPN client IP?


Federico, thanks!  I'm guessing you got it right.  I'm trying to have the SA start when traffic comes from the VPN client side, not the Dynamic remote side.  Guess that won't work.  Ok, thanks for the help!



Content for Community-Ad