Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

VPN only initiated one way

Answered Question
May 11th, 2007
User Badges:

Does anybody have any idea's why a site-to-site VPN tunnel could only be established one way? I have a pix connecting to a vpn concentrator via IPSEC tunnel using NAT-T. From the concentrator if I initiate traffic to the pix, the tunnel comes up and then I can access resources behind the concentrator from the pix side.

If I try to initiate traffic from the pix side, the tunnel will not come up. Doing a debug on the pix, it doesn't even try to initiate the tunnel.

Here is a snippet from the pix config:

crypto ipsec transform-set TestSet esp-3des esp-sha-hmac

crypto map TestMap 10 ipsec-isakmp

crypto map TestMap 10 match address ACL_VPN

crypto map TestMap 10 set peer

crypto map TestMap 10 set transform-set TestSet

crypto map TestMap interface outside

isakmp enable outside

isakmp key ******** address netmask

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

I am just using 10. address's above for the peer as an example. The ACL_VPN specifies the local/remote subnets correctly. The default route is to the outside interface of the pix.

On the concentrator, I have specified the tunnel is bi-directional.

Anybody any idea's why it will only initiate one way?



Correct Answer by joshua.walton@a... about 10 years 3 months ago

Please post your ACL 'ACL_VPN' and your NAT Exemption ACL.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
acomiskey Fri, 05/11/2007 - 05:50
User Badges:
  • Green, 3000 points or more

Is there a firewall in front of the concentrator that would be blocking the pix from initiating?

Jon Marshall Fri, 05/11/2007 - 05:53
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


If the pix is not even trying to initiate the tunnel then it looks like your crypto access-list is not matching any traffic.

Are you natting the source IP's on the pix and if so does your crypto access-list reference the natted addresses which it should.



This Discussion