I have a Cisco ASA with a remote VPN to a Cisco router.
It seems the tunnel only comes up if I ping the remote router from the inside LAN of the ASA then both sides can ping each other.
However if for example the VPN tunnel is down and I ping from the remote network to a server on the inside of the ASA it won't come up again, I have to reverse this and get a server to ping this remote router and the IKE tunnel comes up and then the IPSec tunnel for that subnet.
First I would like to clarify something. I believe that I understand that when you initiate the VPN session from the ASA you are initiating traffic from a device behind the ASA and going to a device behind the router. Is this correct? I am not clear when you attempt to initiate the VPN session from the router whether you are pinging from a device behind the router or are pinging from the router itself. Can you clarify this?
Also in looking at the configs I do see some questionable things:
- the router has an ISAKMP key statement for 22.214.171.124 but the crypto map peer statement is for 126.96.36.199. what is this inconsistency? can it be cleaned up?
- the access list for crypto on the ASA is fairly specific there are 3 source subnets for destaintion 172.19.15.0. but the access list on the router says source 172.19.15.0 to anything. can you change the access list on the router so that it is 172.19.15.0 to 192.168.20.0, 192.168.21.0, or 192.168.90.0?