Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
528
Views
0
Helpful
4
Replies

Remote VPN sites routing to each other through central office

alatechpro
Level 1
Level 1

‎04-20-2010 02:24 PM

I have an odd issue here that I'm not sure what would be causing it.

We have a main office with a VPN 3005 concentrator, and multiple construction sites connected to it with VPN 3002 HW clients or ASA 5505s.

Home office (PVT): 10.0.x.x

Remote Site 1: 192.168.11.x

Remote Site 2: 192.168.12.x

For some reason Site 1 cannot ping Site 2 the first time, unless you initiate a ping from Site 2 at the same time.

Once you run the ping command from both HW clients at these locations, they respond fine until the power is cycled.  The routes seem to be fine, but I'm not sure what would cause it to timeout unless a ping is initiated from both ends?

Further documentation can be provided if requested. I just wanted to see if it was something simple I was overlooking.

Example:

192.168.11.x pings 192.168.12.x - Timeout

Site 1 and Site 2 ping each other at the same time - Reply

After success - Site 1 can ping Site 2 without Site 2 client initiating ping command

Labels:
0 Helpful
4 Replies 4

Jennifer Halim
Cisco Employee
Cisco Employee

‎04-20-2010 02:33 PM

Since both site 1 and site 2 are both hardware client, they would need to initiate the VPN tunnel towards the main office first before they can communicate with each other.

It could be a possibility that both sites have not built the VPN tunnel towards the main office, therefore, when you try to ping from site 1 to site 2, that invoke the VPN tunnel from site 1 towards the main office. At this time, ping fails. However, when you try to ping from site 2 to site 1, that invoke the VPN tunnel from site 2 towards the main office. Now both site 1 and 2 have established the VPN towards the main office, hence they can communicate with each other.

0 Helpful

alatechpro
Level 1
Level 1
In response to Jennifer Halim

‎04-20-2010 02:48 PM

No, I don't think that is it because the VPN light is green the whole time, and devices at the home office are always accessible to each remote site (therefore the tunnel is up).

Also, pinging the first time will only work if you initiate it from both devices at the same time. I know SITE 1 and SITE 2 have the tunnel up, because I connect to them from the home office with their private IPs that are only accessible through the tunnel. To get it to work, I have both VPN HW Clients logged in through the web admin interface and initiate the pings commands from both clients at roughly the same time. It doesn't have to be EXACT, just as long as one of the devices was still sending ICMP to the other.

0 Helpful

droeun141
Level 1
Level 1
In response to alatechpro

‎04-21-2010 05:09 AM

You have site 1 remote subnet allowed in site 2 crytpo ACL on central site? (and vice versa)

0 Helpful

alatechpro
Level 1
Level 1
In response to droeun141

‎04-21-2010 01:57 PM

I don't think there is place on the concentrator for that...FYI: it doesn't use the CISCO IOS, nor do the VPN 3002 HW

clients. That makes it a pain when looking at the config!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents