site to site VPN tunnel initiating problem

wwanjohi123 · ‎10-28-2008

We are trying to bring up a site to site VPN. But the problem is that it only comes up when i initiate a ping from my end.

My firewall is ASA5540 Software Version is 7.2(3) while the other one is running Cisco ASA5520, software version is 7.2(4)9. Help could be the problem.

Richard Burts · ‎10-28-2008

Winnie

Probably the most common reasons why a VPN only initiates from one side are:

- one side has a fixed IP address while the other side has a dynamic IP address.

- there is a mismatch between the sides about what constitutes interesting traffic for the VPN.

Do either of these situations apply to you?

HTH

Rick

HTH

Rick

Istvan_Rabai · ‎10-28-2008

Hi Rick,

As per my experience, if the interesting traffic is not defined symmetrical (mismatch), the IPSec negotiation fails.

So I don't think this is a problem, because the IPSec VPN comes up for him.

The static/dynamic address pair is a much more likely cause as you mentioned it.

Winnie,

I don't quite get if your problem is that the VPN comes up from one side only, or the problem is that it comes up only after pinging?

Did you try to send interesting traffic before tryings pings?

Thanks:

Istvan

Jon Marshall · ‎10-28-2008

Just to add to the others good suggestions. One possible reason is that one end of the connection has an access-list applied to the interface where the interesting traffic comes from.

Hence if one side initiates the connection and traffic flows from one side to other it works fine because the return traffic is not subject to the access-list as it is stateful traffic. However traffic may be stopped from being initiated on the other side because of the access-list.

Jon