04-26-2006 07:03 AM
I have an ASA and a PIX site-to-site VPN tunnel set up. The tunnel only establishes when I ping (send interesting traffic) from the ASA, and not vice versa.
Is there a setting or command that will allow either side to establish the tunnel?
I have another tunnel between the ASA and a different PIX, and it CAN be established from either side. Comparing the configurations side by side shows them being virtually identical (except for the IP and preshared key).
Can someone shed some light on this?
Thanks
05-02-2006 04:50 PM
it is a simple ACL problem that overlooking on the dynamic VPN client side. remove the ACL's in order to
get the VPN tunnel working. Match address ACL for site to site vpn included client no nat ACL as well
05-02-2006 06:07 PM
If you can post your configs ( ASA and PIX ) I can have a look for you !!!
07-26-2006 12:36 AM
Check if your configuration involve "dynamic map". If it is dynamic, the VPN side only listen. If it is "static" and have a peer address. It will listen or initiate.
08-10-2006 12:40 PM
Your reply reminded me that if you have several static maps configured as well as a dynamic map, the dynamic map must have the highest sequence number or the static tunnels below it will not initiate a tunnel - the dynamic map grabs the packets and, since a dynamic map is listen-only, a tunnel will never be initiated.
Moving the dynamic map to the highest sequence number (65535) will correct the issue.
Thanks for jogging my memory!
Marc
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide