one side initiation - VPN Tunnel

Unanswered Question
Jan 25th, 2010

Dear All,

i am facing an issue continously when configuring a VPN Connection with any client. what is happening is the tunnel is a one sided initiation means that i have to send some packets from my side so the other side will be able to connect to my servers. otherwise my client will keep trying to hit my servers but he will be only transmitting bytes but nothing recieved from my side.

it happens with certain connections not all.

i am using Cisco ASA 5540

i have checked everything keep alive, SA Life Time, and other things without any success.

awaiting your Feedback.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
pompeychimes Thu, 01/28/2010 - 10:02

This type of problem is typically caused by routing and/or nat issues. First, ensure your encryption domain definitions (ACLs) match. Second, unless the client uses its VPN device as its DFG, have them make sure they have routes in place for your address space. Finally, have the client make sure they are NATing correctly.


a7mad_cisco Thu, 01/28/2010 - 14:25

hey there ...

first of all thanks for the response it really expands my troubleshooting process ...

regarding the natting ... both sides are using public IPs so i dont think natting is used at both sides.

in ASA do i have to configure the ACL in both directions ... or is one way enough ?

i will definetly have the client check the routes at their side ...

thanks again ..

pompeychimes Fri, 01/29/2010 - 01:52

Your ACL should like something like this...

ip access-list ENCRYPT_THIS

permit ip your network his network

The clients ACL should look like this...

ip access-list ENCRYPT_THIS

permit ip his network your network


pudawat Thu, 01/28/2010 - 16:24

Hi Ahmed,

Is this firewall in production network.Check whether NAT-T is enabled on the firewall?

Try adding the commands "crypto isakmp nat-t 20" on both ends and revert.



a7mad_cisco Sun, 02/14/2010 - 20:46

heey guys ....

i have checked all your suggestions nothing seems to work ...

i think it might be a problem of integrating different platforms cause the other side is using another VPN device (Check Point)

thanks all for your help ...


This Discussion