Only remote site can bring up IPsec tunnels

Unanswered Question
Feb 16th, 2010

Hello,

We have a VPN from our ASA to a SonicWall in a remote country.  The SonicWall is managed be a 3rd party.  It seems only the remote site can bring the IPsec tunnels up.  I can see the VPN is up but with 0 Tx and 0 Rx, if I ping the remote subnet from the ASA side the transmit goes up, but to the Rx.  If they ping our subnet the subnets seems to spring to life.

Is there a setting they need to look at for initiating the tunnel, or any commands I can run my end to see what is happening?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Tue, 02/16/2010 - 06:37

Hi,

There's a setting on the ASA to make the ASA either respond only or initiate only (make sure the ASA is not set to respond only). Respond only means that the tunnel cannot be set up from the ASA side.

Also, make sure its a Site-to-Site tunnel, because if it's set to Dynamic (because the SonicWall has a dynamic public IP, then the tunnel can be initiated only from the SonicWall side as well).

Federico.

Andy White Tue, 02/16/2010 - 06:46

It is a site-to-site VPN with static public IP addresses.

The only initiator setting I can find is something called monitor keep alives, any idea whathe setting is on CLI or in the ASDM?

Federico Coto F... Tue, 02/16/2010 - 09:51

FW-ASA(config)# crypto map mymap 10 set connection-type ?

configure mode commands/options:
  answer-only     Answer only
  bidirectional   Bidirectional
  originate-only  Originate only

Federico.

Andy White Wed, 02/17/2010 - 05:35

Hi, seems bidirectional is already set.

What I have noticed is if the VPN is down and I ping the remote VPN subnet phase 1 and 2 of the tunnel come up just fine, but I can't ping anything.  It is not until theremote office ping back to my subnet the pinging starts to work, what could this be?

Actions

This Discussion