Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
670
Views
10
Helpful
4
Replies

ipsec sitetosite responder

bluesea2010
Level 5
Level 5

‎08-23-2021 08:00 AM

Hi,

 

The  VPN always  show  responder, what could be the reason  it does not show as initiator 

,

isakamp sa.PNG

There are a lot of subnets both remote and local but only the above are listed show cr isakmp sa .why others are not showing 

 

I have other remote local subnets for example  (192.168.8.0/24 local  )   and I can't reach  it from 172.21.21.0/24 

if I initiate traffic first  from 192.168.8.0/24  then I can reach it from 172.21.21.0 /24

in access-list  everything included 

 

Please help 

 

Thanks 

 

 

Labels:
0 Helpful
4 Replies 4

Rob Ingram
VIP
VIP

‎08-23-2021 08:26 AM

@bluesea2010 

Not enough information, but if one side has to initate traffic for the VPN to be established, it could be that the configuration specifies that one peer is a responder only or one device is configured to initate only. Typically a VPN is configured to be bi-directional, meaning either side can initate the tunnel.

 

Provide the configuration for review.

bluesea2010
Level 5
Level 5
In response to Rob Ingram

‎08-23-2021 09:49 AM

Hi,

What configuration should i need to  add  bi-directional 

 

 

 

asa s2s.PNG

What I mean  from 172.21.21.0  I can reach  192.168.35.0, but  not  192.168.2.0/24 

 

Now  If I initiate a ping from 192.168.2.0/24  to 172.21.21.0/24  and then  i can  reach in the reverse order also   (ping from 172.21.21.0  to 192.168.2.0 will work then ) 

but the problem I loose access to 192.168.35.0 /24

 

Regarding the diagram in the previous post  , Why 192.168.8.0 and 192.168.10.0 not showing in  the sh  crypto isakamp sa 

 

Thanks 

 

attached the debug  output (sanitized)

 

problem facing between  remote-peer-ip-and outside-ip:500 (local fw outside interface ) 

 

Thanks 

Preview file
92 KB
0 Helpful

Rob Ingram
VIP
VIP
In response to bluesea2010

‎08-23-2021 09:59 AM - edited ‎08-23-2021 09:59 AM

@bluesea2010 

The command "crypto map set connection-type" is used to configure the crypto map to be bi-directional, initiator or responder.

 

Another possibility could be that PFS is configured on one side and not the other, so if the initiator does not have PFS configured or a smaller group than the responder, the connection will fail...but would succeed if initiated by the peer. Check to see if the command "crypto map set pfs" is configured on your ASA.

 

What is the peer device? Could it be there is restriction on the number of IPSec SAs to be formed between peers?

bluesea2010
Level 5
Level 5
In response to Rob Ingram

‎08-23-2021 11:13 AM - edited ‎08-24-2021 01:14 AM

hi,

 

crypto map Tt  2 set pfs group5 is configured 

 

access-list  cryptomap  extended permit ip object-group llocal object-group  rremote

here local is local subnet and rremote is remote 

do  I need to do anything on the ACL , do I need an ACL in reverse order 

 

crypto map set connection-type configured on ASA . But it showing only as responder before showing both responder and initator . 

 

What is the peer device? it is a cloud provider   

Could it be there is a restriction on the number of IPSec SAs to be formed between peers?

I am not sure about this question 

is it possible to do a restriction ? 

 

Thanks 

 

 

0 Helpful
Customers Also Viewed These Support Documents