Site to Site VPN, One way traffic brings the VPn UP but not the other way.

Unanswered Question
Jun 30th, 2008

Hi All,

I have configured the Site to site vpn between 2 ASA 5520 firewalls say site A and Site B. The problem is that.

If site A initiate the traffic, it brings the VPn up and both sites can communicate with each other.If site A stop the traffic then after 5 minutes if site B sends the traffic it dropped unless the site A sends the traffic. even one packet from site A allow the site B to communicate. This is a very strange problem never encountered before. your help in this case would be helpfull for me.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
s.haszard Mon, 06/30/2008 - 20:08

Very new to Cisco but have experienced similar before.

Check your ACL lists. If site A has a subset of site B then it will establish the VPN tunnel only from site A.


Site A network is

Site B network is

(with either an additional network e.g DMZ or just an ACL artifact of

Site A ACL (IPSec rule list) -->

Site B ACL (IPSec rule list) -->>

If your ACL's are like this then site A will establish an IPSEC tunnel, but site B will not.

t4tauseef33 Tue, 07/01/2008 - 03:39


first of all i have only created a VPN only between 2 windows machine by using /32 subnet mask. Secondly both sites are in bidirectional mode.

show crypto ipsec sa gives the following information.

SITE B show command

ping from SITE B to SITE A

#pkts encaps: 29, #pkts encrypt: 29, #pkts digest: 29

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 29, #pkts comp failed: 0, #pkts decomp failed: 0

while on SITE A, i have not recived any packet

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

its mean vpn comes up, SITE B encrypts the traffic and forward to SITE A, but SITE A does not recieve it for any reason.

if i try to ping from SITE A to SITE B machine. then both are able to communicate. if i stop traffic for 5 minutes between these sites then after onwards the SITE B not able to communicate with SITE A unless Site A sends the traffic.

singhsaju Thu, 07/10/2008 - 09:17


Do you have more than one VPN tunnel at Site B ? Can you please post configs as requested earlier?


jpoplawski Thu, 07/10/2008 - 11:28

Check nat0 ACL and Crypto ACL. Post the config if possible, if you need further help.


This Discussion