03-06-2017 10:38 PM
I have a site to site VPN tunnel to customer.
We are using cisco 7206 and customer side ASA is installed.
Tunnel is up and working fine , it will only be coming up when customer initiate the traffic their side we are not able to do.
Customer requires that is has to done from our side only.
We don't have any such policy or restriction at our side that remote will be the imitator.
How we can make it possible that tunnel will come up when we will initiate the traffic from our side .
Please suggest if this can be done or only they can do it as they are using ASA at this will work as more trusted device that can initiate the traffic.
Regards
Rajat
03-07-2017 03:44 AM
What does your side config look like? Ideally for a static site to site tunnel both sides should be able to initiate tunnels and send encrypted traffic after that.
03-07-2017 07:03 PM
Hi Rahul ,
Thanks for your reply
As I have mentioned that is a site to site crypto VPN.
We have a static route for remote source IP towards our next hop ( i.e. to our service provider)
When they telnet from their side tunnel went up and they can communicate but when we initiate traffic tunnel is not coming up.
03-07-2017 10:48 PM
01. try to initiate the traffic from your side & to check # show crypto isakmp sa
02. either as do debug the command at ASA #debug crypto ikev1/ikev2 127
share the logs.
04-05-2017 08:14 AM
Thanks to everybody for the valuable inputs.
Issue is resolved now , I have advised to customer to allow the UDP packets on ASA and now the tunnel can be established from both sides.
03-09-2017 07:00 AM
I was referring to a "static" site to site vpn tunnel where both sides have static ip addresses and remote peer is manually set. If this is the case, both sides should be able to initiate traffic.
Attach the sanitized config if you have it with you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide