08-23-2021 08:00 AM
Hi,
The VPN always show responder, what could be the reason it does not show as initiator
,
There are a lot of subnets both remote and local but only the above are listed show cr isakmp sa .why others are not showing
I have other remote local subnets for example (192.168.8.0/24 local ) and I can't reach it from 172.21.21.0/24
if I initiate traffic first from 192.168.8.0/24 then I can reach it from 172.21.21.0 /24
in access-list everything included
Please help
Thanks
08-23-2021 08:26 AM
Not enough information, but if one side has to initate traffic for the VPN to be established, it could be that the configuration specifies that one peer is a responder only or one device is configured to initate only. Typically a VPN is configured to be bi-directional, meaning either side can initate the tunnel.
Provide the configuration for review.
08-23-2021 09:49 AM
Hi,
What configuration should i need to add bi-directional
What I mean from 172.21.21.0 I can reach 192.168.35.0, but not 192.168.2.0/24
Now If I initiate a ping from 192.168.2.0/24 to 172.21.21.0/24 and then i can reach in the reverse order also (ping from 172.21.21.0 to 192.168.2.0 will work then )
but the problem I loose access to 192.168.35.0 /24
Regarding the diagram in the previous post , Why 192.168.8.0 and 192.168.10.0 not showing in the sh crypto isakamp sa
Thanks
attached the debug output (sanitized)
problem facing between remote-peer-ip-and outside-ip:500 (local fw outside interface )
Thanks
08-23-2021 09:59 AM - edited 08-23-2021 09:59 AM
The command "crypto map set connection-type" is used to configure the crypto map to be bi-directional, initiator or responder.
Another possibility could be that PFS is configured on one side and not the other, so if the initiator does not have PFS configured or a smaller group than the responder, the connection will fail...but would succeed if initiated by the peer. Check to see if the command "crypto map set pfs" is configured on your ASA.
What is the peer device? Could it be there is restriction on the number of IPSec SAs to be formed between peers?
08-23-2021 11:13 AM - edited 08-24-2021 01:14 AM
hi,
crypto map Tt 2 set pfs group5 is configured
access-list cryptomap extended permit ip object-group llocal object-group rremote
here local is local subnet and rremote is remote
do I need to do anything on the ACL , do I need an ACL in reverse order
crypto map set connection-type configured on ASA . But it showing only as responder before showing both responder and initator .
What is the peer device? it is a cloud provider
Could it be there is a restriction on the number of IPSec SAs to be formed between peers?
I am not sure about this question
is it possible to do a restriction ?
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide