02-16-2010 06:20 AM - edited 02-21-2020 04:30 PM
Hello,
We have a VPN from our ASA to a SonicWall in a remote country. The SonicWall is managed be a 3rd party. It seems only the remote site can bring the IPsec tunnels up. I can see the VPN is up but with 0 Tx and 0 Rx, if I ping the remote subnet from the ASA side the transmit goes up, but to the Rx. If they ping our subnet the subnets seems to spring to life.
Is there a setting they need to look at for initiating the tunnel, or any commands I can run my end to see what is happening?
02-16-2010 06:37 AM
Hi,
There's a setting on the ASA to make the ASA either respond only or initiate only (make sure the ASA is not set to respond only). Respond only means that the tunnel cannot be set up from the ASA side.
Also, make sure its a Site-to-Site tunnel, because if it's set to Dynamic (because the SonicWall has a dynamic public IP, then the tunnel can be initiated only from the SonicWall side as well).
Federico.
02-16-2010 06:46 AM
It is a site-to-site VPN with static public IP addresses.
The only initiator setting I can find is something called monitor keep alives, any idea whathe setting is on CLI or in the ASDM?
02-16-2010 09:51 AM
FW-ASA(config)# crypto map mymap 10 set connection-type ?
configure mode commands/options:
answer-only Answer only
bidirectional Bidirectional
originate-only Originate only
Federico.
02-17-2010 05:35 AM
Hi, seems bidirectional is already set.
What I have noticed is if the VPN is down and I ping the remote VPN subnet phase 1 and 2 of the tunnel come up just fine, but I can't ping anything. It is not until theremote office ping back to my subnet the pinging starts to work, what could this be?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide