vpn initialization from one endpoint only

Unanswered Question
Feb 20th, 2009

We have a site to site vpn established, however to initiate the tunnel the remote endpoint has to ping our local endpoint for the tunnel to negotiate. However, I can not initiate the tunnel if it drops by pinging the remote end from the local end. Any suggestions? Would be much easier after a drop if I could re-initiate the tunnel here localy


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Ivan Martinon Fri, 02/20/2009 - 12:07

Is this tunnel created with cisco devices? Can you post configs of both sides?

Richard Burts Fri, 02/20/2009 - 13:16


There are several things that I can think of that might result in the tunnel initiating from one end but not from the other. Do any of these apply to your situation:

- does your device have a dynamic crypto map entry? This allows connection from a peer whose address is learned dynamically (DHCP). And an implication of this is that the tunnel can only be initiated by the dynamic peer.

- does your peer VPN translate traffic so that their inside addresses are translated using the outside interface address? Depending on how the translation is configured it may only build a translation when they send traffic. If you try to initiate the tunnel there is no translation for the traffic.

- is it possible that there is a mismatch in the access lists which identify traffic for the VPN. Is it possible that their ping to you matches the access list but that your ping to them does not match your access list?



cisco24x7 Fri, 02/20/2009 - 18:12

"vpn initialization from one endpoint only"

This is a well KNOWN issue if you have

site-2-site VPN between Cisco and other

VPN vendors such as Checkpoint and/or

Juniper devices. The issue has to do with

encryption domain mis-match.

Checkpoint likes to "supernet" all the

network together and it is the default

setting where as Cisco does not do that.

The problem you described sound very

much like an encryption mis-match.


This Discussion