VPN Initialization issue

Unanswered Question
May 22nd, 2008

Hi guys,

I've got a bit of an issue with a customer's VPN which I'm hoping to resolve. The customer is creating a VPN with its service provider using the following configuration (guidelines were given by the provider):


crypto isakmp policy 1

encr aes 256

authentication pre-share

group 5

crypto isakmp key xxxxxx address

crypto isakmp invalid-spi-recovery



crypto ipsec transform-set encrypt esp-aes 256 esp-sha-hmac


crypto map vpn 1 ipsec-isakmp

set peer

set security-association lifetime seconds 86400

set transform-set encrypt

set pfs group5

match address 101


access-list 101 permit ip


This is the configuration used on the customer's side (876). The other side of the VPN terminates on the ISP's 7600 series router which of course we don't have access to.

Both sides obviously have static ip addresses so the VPN tunnel can be initialized by either side.

The problem encountered is that tunnel partially comes up when the VPN is initiated from the service providers side:

show crypto session

Interface: Dialer0

Session status: UP-IDLE

Peer: port 500

IKE SA: local remote Active

IPSEC FLOW: permit ip

Active SAs: 0, origin: crypto map

If the customer sends a packet from his network to the service provider, thus initiating the VPN tunnel from his side, the VPN comes up without any problem!

show crypto session

Interface: Dialer0

Session status: UP-ACTIVE

Peer: port 500

IKE SA: local remote Active

IPSEC FLOW: permit ip

Active SAs: 2, origin: crypto map

I'd like any suggestions which can help me troubleshoot the above and figure out why the VPN comes up properly only when my customer's lan network sends a packet to the remote side.

Any input is much appreciated.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Richard Burts Thu, 05/22/2008 - 10:17


The symptoms seem to suggest that the traffic from the provider did not get to you, or more specifically that the traffic originated from the provider did not cause negotiation of IPSec SAs with you.

My first question would be to try to verify that the first show crypto session was done in a time frame shortly after the provider had done something to initiate traffic to you. If it was, do you know what kind of traffic they used to attempt initiation of the tunnels?

Assuming that there was a valid attempt to send valid traffic to you, I would think that the symptoms might indicate that there is something wrong with their crypto map entry for your customer and that there might be a wildcard entry/dynamic map which is being used when you initiate traffic. Unfortunately only the provider is in a position to know for sure if this is true.



nitinaga Sat, 05/24/2008 - 12:48

Hi Chris,

To add please check if the interesting traffic defined and the phase 1 and Phase 2 lifetime matches at both ends.


This Discussion