Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
728
Views
10
Helpful
4
Replies

IPSEC tunnel down possibilities

GeetanshBhardwaj15367
Level 1
Level 1

‎03-09-2021 08:36 AM

Hi Team,

 

Just a random question I was discussing with my colleagues. 

 

Peer A is able to establish a VPN tunnel with Peer B however when Peer B is initiating a tunnel towards Peer B it is unsuccessful.

Connectivity is Fine, both ends are configured with Static IP.

Can someone tell me what could be the possibilities for this?

 

Thank you in Advance!

 

Geetansh Bhardwaj

Labels:
0 Helpful
4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

‎03-09-2021 08:48 AM

Peer A is able to establish a VPN tunnel with Peer B however when Peer B is initiating a tunnel towards Peer A it is unsuccessful.  - this could e configured as Peer A is the initiator.

 

what is the device here?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Rob Ingram
VIP
VIP

‎03-09-2021 09:07 AM

@GeetanshBhardwaj15367 

It could be a PFS issue. If the initiator does not have PFS enabled or a smaller DH group then the connection will fail. If the initiator has a group configured but the responder does not or the responder has a smaller DH group configured then the PFS group of the initiator is used and the VPN established.

 

Or as already mentioned one peer could be configured to "answer-only", so will therefore never initate the estalishment of the VPN.

GeetanshBhardwaj15367
Level 1
Level 1

‎03-09-2021 11:53 PM

Thank you for the response @Rob Ingram $ @balaji.bandi.

 

One possibility I came to know is if Peer A is connected to a firewall that is inside interface of Peer is connected to Firewall so the tunnel from Peer to Peer B would be allowed as the traffic going from inside towards outside and firewall security level will allow it, but when initiating the traffic from Peer B to Peer A, we have a firewall which we are hitting on the outside interface so default it will block the flow, we need to open an ACL to allow it.

 

Thank you for help!

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to GeetanshBhardwaj15367

‎03-10-2021 01:42 AM

possibilities are many - but this required and confirmed part of Troubleshoot, what is agreed between peer, what allowed or what accepted denied. (need to post debug logs and configuration)

 

that is the reason always use VPN form for both parties what agreed to be achieved and some flow Visio diagram every time VPN build, so that is Knowledge transfer and living document for the Operation to run smoothly.

 

that is the reason for the most cases we advise to document correctly and changes made also document, since when the issue reported it is easy to understand what is the setup and agreed, so you know what condition and how to troubleshoot easy.

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents