establishing a VPN tunnel from either side

jsmtingmak · ‎04-26-2006

I have an ASA and a PIX site-to-site VPN tunnel set up. The tunnel only establishes when I ping (send interesting traffic) from the ASA, and not vice versa.

Is there a setting or command that will allow either side to establish the tunnel?

I have another tunnel between the ASA and a different PIX, and it CAN be established from either side. Comparing the configurations side by side shows them being virtually identical (except for the IP and preshared key).

Can someone shed some light on this?

Thanks

Report Inappropriate Content · ‎05-02-2006

it is a simple ACL problem that overlooking on the dynamic VPN client side. remove the ACL's in order to

get the VPN tunnel working. Match address ACL for site to site vpn included client no nat ACL as well

Fernando_Meza · ‎05-02-2006

If you can post your configs ( ASA and PIX ) I can have a look for you !!!

leon.mflai · ‎07-26-2006

Check if your configuration involve "dynamic map". If it is dynamic, the VPN side only listen. If it is "static" and have a peer address. It will listen or initiate.

drumrb0y · ‎08-10-2006

Your reply reminded me that if you have several static maps configured as well as a dynamic map, the dynamic map must have the highest sequence number or the static tunnels below it will not initiate a tunnel - the dynamic map grabs the packets and, since a dynamic map is listen-only, a tunnel will never be initiated.

Moving the dynamic map to the highest sequence number (65535) will correct the issue.

Thanks for jogging my memory!

Marc