(S2S) One site can't initiate tunnel but can use it when second start

DamianKolodziej03650 · ‎03-11-2022

Hello,

i have realy strange problem with S2S tunnel configuration between ASA and FTD (managed remotely by FMC).

Most of networks from ASA (site1) can't comunicate with FTD (site2) until FTD don't start connection from it's side. Only one can comunicate bidirectional (in same tunel).

Tunel: IKEv2, IPSec.

I have network like:

A) S1: 10.1.2.0 <-> S2: 10.2.2.0 - when S1 try talk (ICMP or HTTP/S) with S2 there is no traffic. When S2 do the same to S1 it's working and after this S1 also can talk to S2. After few hours connection is dropped and i must make ping from S2 -> S1 to establish connection between those networks.

B) S1: 10.1.3.0 <-> S2: 10.2.3.0 - the same as above

But there is also ACL and NAT that allow:

C) S1: 10.1.5.0 <-> S2: 10.2.2.0 and this connection works normally for both sides.

All ACL and NAT are the same (of course have different object and networks but logical configuration is the same).

Why only one pair of connected network works and others must wait for traffic from S2?

Rob Ingram · ‎03-11-2022

@DamianKolodziej03650 a couple of things to check.

Is S1 configured to answer only? Meaning it can only be the responder and cannot initate the tunnel.

Is PFS configured on both sides?

DamianKolodziej03650 · ‎03-11-2022

@Rob Ingram wrote:
@DamianKolodziej03650a couple of things to check.

Is S1 configured to answer only? Meaning it can only be the responder and cannot initate the tunnel. - i've never heard that this is possible so "No". One network from S1 have connection all the time to S2 and it's not dropped after few hours.
Is PFS configured on both sides? - YES

MHM Cisco World · ‎03-11-2022

Can i see all nat config in asa,

Note:- hide public ip.

MHM Cisco World · ‎03-15-2022

do you solve the issue ?
I think the issue is arrangement of NAT where NAT exception is push below the dynamic NAT of Outside Interface.