Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
416
Views
5
Helpful
4
Replies

Site to Site VPN Troubleshoot

billybong
Level 1
Level 1

‎08-22-2022 05:10 AM

Hi all, I’m hoping someone can point me in the right direction
I have site to site vpn from the US to the UK, but the connection will only become active when it’s pinged from the US side
any ideas
greatly received

Labels:
0 Helpful
4 Replies 4

Rob Ingram
VIP
VIP

‎08-22-2022 05:13 AM - edited ‎08-22-2022 05:14 AM

@billybong It sounds like you have a policy based VPN (crypto map), so there could be several reasons. If it is a dynamic crypto map, then only one side can initiate the connection. Or if a static crypto map and one side is set to answer/respond only, then that peer will not attempt to establish a connection.

If you were using VTI then the tunnel would can always be established without having to generate interesting traffic.

Provide more information on your design.

0 Helpful

billybong
Level 1
Level 1

‎08-22-2022 05:26 AM

thanks for the quick reply
it’s a static map, how do i check if one side set incorrectly

MHM Cisco World
VIP
VIP
In response to billybong

‎08-22-2022 05:31 AM

static IPSec then check if one side is responder only. 
responder only meaning it not start IPsec until other end start IPsec tunnel establish. 

0 Helpful

Rob Ingram
VIP
VIP
In response to billybong

‎08-22-2022 05:31 AM

@billybong what device are you using?

On the ASA - crypto map map-name seq-num set connection-type ( answer-only | originate-only | bidirectional )

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/A-H/asa-command-ref-A-H/crypto-is-cz-commands.html

 

0 Helpful
Customers Also Viewed These Support Documents