site to site VPN tunnel initiating problem

Unanswered Question
Oct 28th, 2008
User Badges:

We are trying to bring up a site to site VPN. But the problem is that it only comes up when i initiate a ping from my end.

My firewall is ASA5540 Software Version is 7.2(3) while the other one is running Cisco ASA5520, software version is 7.2(4)9. Help could be the problem.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Richard Burts Tue, 10/28/2008 - 11:25
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


Probably the most common reasons why a VPN only initiates from one side are:

- one side has a fixed IP address while the other side has a dynamic IP address.

- there is a mismatch between the sides about what constitutes interesting traffic for the VPN.

Do either of these situations apply to you?



Istvan_Rabai Tue, 10/28/2008 - 14:00
User Badges:
  • Gold, 750 points or more

Hi Rick,

As per my experience, if the interesting traffic is not defined symmetrical (mismatch), the IPSec negotiation fails.

So I don't think this is a problem, because the IPSec VPN comes up for him.

The static/dynamic address pair is a much more likely cause as you mentioned it.


I don't quite get if your problem is that the VPN comes up from one side only, or the problem is that it comes up only after pinging?

Did you try to send interesting traffic before tryings pings?



Jon Marshall Tue, 10/28/2008 - 14:10
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Just to add to the others good suggestions. One possible reason is that one end of the connection has an access-list applied to the interface where the interesting traffic comes from.

Hence if one side initiates the connection and traffic flows from one side to other it works fine because the return traffic is not subject to the access-list as it is stateful traffic. However traffic may be stopped from being initiated on the other side because of the access-list.



This Discussion