VPN won't iniate from one side.

Answered Question
Jan 21st, 2008

Hi all,

I have a bit of a perplexing issue setting up site to site VPN. The tunnel comes up fine from the other end, but won't initiate from traffic on this end. I have a ASA 5510 7.0(4) and the other side is a Cisco Router IOS 12.2(18) on what appears to be a 6509. The hosts on both sides are using public addressing. If I run a trace from this end it just passes by the ASA and heads out to the internet like there is no tunnel at all. If the other side pings the tunnel will come up fine and then the ASA sends the traffic through the tunnel.

Any help would be appreciated.

Scott

Correct Answer by ajagadee about 9 years 1 month ago

Thanks for the update! If this is static to static, then tunnel should come up fine when initiated by either side.

Now, you mentioned that when you removed port restriction on the IPSEC ACLs everything worked fine. So, the obvious question is, what is configured on the remote side. Is it configured for ALL Ports or specific ports. If it is all ports, then you need to configure your side to match the same. If not, I have seen behavior like this where IPSEC SA's are created only when initiated from a remote side where you have a "PERMIT IP" and the responder side is configured with specific ports.

Can you let us know what is the IPSEC ACL's configured on the router.

Regards,

Arul

** Please rate if it helps **

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
ajagadee Mon, 01/21/2008 - 14:48

How is the ASA Configured for IPSEC Tunnels to the 6500. Is it Static to Static IPSEC Tunnel or is the ASA configured to accept dynamic connections.

If the ASA is configured for Dynamic to Static configuration, then only the 6500 can initiate connection. Please refer the below URL for details on how connection gets initiated. Even though the below URL is for a pix, you can apply the same concept to the ASA as well.

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a0080094680.shtml

If you can post your configuration and provide some details, we should be able to point you in the right direction.

Regards,

Arul

** Please rate if it helps **

svanguilder Mon, 01/21/2008 - 15:06

This is static to static. There are dynamic group connections for our remote clients, but there are also several other site to site statics that are working.

Maybe this will shed some light on the situation.

I just tried taking off port restriction on the tunnel and let all IP traffic pass and the tunnel came up fine. I didn't notice the before cuz all the other tunnels where with branch offices of ours and we didn't do any restrictions.

Correct Answer
ajagadee Mon, 01/21/2008 - 16:03

Thanks for the update! If this is static to static, then tunnel should come up fine when initiated by either side.

Now, you mentioned that when you removed port restriction on the IPSEC ACLs everything worked fine. So, the obvious question is, what is configured on the remote side. Is it configured for ALL Ports or specific ports. If it is all ports, then you need to configure your side to match the same. If not, I have seen behavior like this where IPSEC SA's are created only when initiated from a remote side where you have a "PERMIT IP" and the responder side is configured with specific ports.

Can you let us know what is the IPSEC ACL's configured on the router.

Regards,

Arul

** Please rate if it helps **

svanguilder Tue, 01/22/2008 - 04:45

I did some experimenting and found that applying the ACL in both directions was causing the problem. I had created a service group to cover several protocols and I applied it to both directions. When I applied to only the destination instead of both source and destination it worked fine. I didn't think that would be an issue since the since the source would send on the same ports. Go figure..

hmanegold Thu, 03/06/2008 - 09:54

I am having this same problem can some one help I see the answer and I am trying to fix this but nothing appears to be wrong

svanguilder Thu, 03/06/2008 - 11:02

My rule was applied the the origination and destination using the same port. I changed to only the destination port and it work.

Actions

This Discussion