Re: Only remote site can bring up IPsec tunnels

Andy White · ‎02-16-2010

Hello,

We have a VPN from our ASA to a SonicWall in a remote country. The SonicWall is managed be a 3rd party. It seems only the remote site can bring the IPsec tunnels up. I can see the VPN is up but with 0 Tx and 0 Rx, if I ping the remote subnet from the ASA side the transmit goes up, but to the Rx. If they ping our subnet the subnets seems to spring to life.

Is there a setting they need to look at for initiating the tunnel, or any commands I can run my end to see what is happening?

Federico Coto Fajardo · ‎02-16-2010

Hi,

There's a setting on the ASA to make the ASA either respond only or initiate only (make sure the ASA is not set to respond only). Respond only means that the tunnel cannot be set up from the ASA side.

Also, make sure its a Site-to-Site tunnel, because if it's set to Dynamic (because the SonicWall has a dynamic public IP, then the tunnel can be initiated only from the SonicWall side as well).

Federico.

Andy White · ‎02-16-2010

It is a site-to-site VPN with static public IP addresses.

The only initiator setting I can find is something called monitor keep alives, any idea whathe setting is on CLI or in the ASDM?

Federico Coto Fajardo · ‎02-16-2010

FW-ASA(config)# crypto map mymap 10 set connection-type ?

configure mode commands/options:
answer-only Answer only
bidirectional Bidirectional
originate-only Originate only

Federico.

Andy White · ‎02-17-2010

Hi, seems bidirectional is already set.

What I have noticed is if the VPN is down and I ping the remote VPN subnet phase 1 and 2 of the tunnel come up just fine, but I can't ping anything. It is not until theremote office ping back to my subnet the pinging starts to work, what could this be?