Only remote site can bring up IPsec tunnels

Unanswered Question
Feb 16th, 2010
User Badges:


We have a VPN from our ASA to a SonicWall in a remote country.  The SonicWall is managed be a 3rd party.  It seems only the remote site can bring the IPsec tunnels up.  I can see the VPN is up but with 0 Tx and 0 Rx, if I ping the remote subnet from the ASA side the transmit goes up, but to the Rx.  If they ping our subnet the subnets seems to spring to life.

Is there a setting they need to look at for initiating the tunnel, or any commands I can run my end to see what is happening?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Federico Coto F... Tue, 02/16/2010 - 06:37
User Badges:
  • Green, 3000 points or more


There's a setting on the ASA to make the ASA either respond only or initiate only (make sure the ASA is not set to respond only). Respond only means that the tunnel cannot be set up from the ASA side.

Also, make sure its a Site-to-Site tunnel, because if it's set to Dynamic (because the SonicWall has a dynamic public IP, then the tunnel can be initiated only from the SonicWall side as well).


Andy White Tue, 02/16/2010 - 06:46
User Badges:

It is a site-to-site VPN with static public IP addresses.

The only initiator setting I can find is something called monitor keep alives, any idea whathe setting is on CLI or in the ASDM?

Federico Coto F... Tue, 02/16/2010 - 09:51
User Badges:
  • Green, 3000 points or more

FW-ASA(config)# crypto map mymap 10 set connection-type ?

configure mode commands/options:
  answer-only     Answer only
  bidirectional   Bidirectional
  originate-only  Originate only


Andy White Wed, 02/17/2010 - 05:35
User Badges:

Hi, seems bidirectional is already set.

What I have noticed is if the VPN is down and I ping the remote VPN subnet phase 1 and 2 of the tunnel come up just fine, but I can't ping anything.  It is not until theremote office ping back to my subnet the pinging starts to work, what could this be?


This Discussion