5505 vpnclient

Unanswered Question

I have a few people who we distributed ASA 5505's to and configured vpnclient on them that connect to another ASA at the main site.  The setup works fine, all their connectivity seems to work when they initiate it.  However, after a while if we need to connect to the users machine over the vpn tunnel sometimes some subnets won't be able to connect out to them unless the user first initiates a connection (like a ping) from their home machine to ours or if we restart the vpn session.  We can connect form other subnets that the client talks to more often (like from the subnet the dns server is on)...is there any solution to this?  Here is th vpnclient config:

vpnclient server *****

vpnclient mode network-extension-mode

vpnclient nem-st-autoconnect

vpnclient vpngroup **** password *****

vpnclient username **** password *****

vpnclient enable


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jennifer Halim Thu, 04/29/2010 - 14:31

Unfortunately that is the downside of easy vpn as the first connection needs to be initiated from the client's end first before head end can access the client's side.

To be able to initiate traffic from either end of the VPN, you would need to configure static site-to-site vpn tunnel.

Jennifer Halim Fri, 04/30/2010 - 07:08

It is easy vpn, so the connection will always need to be initiated from the client side. The hub side can't initiate the connection towards the remote/client side.

When it says, "The ASA 5505 configured for NEM mode supports automatic tunnel  initiation", that means the ASA 5505 client side can automatically initiate the tunnel without manual tunnel initiation from the ASA end. But does not mean that the hub can initiate a tunnel towards the ASA 5505 client end.

mile.ljepojevic Fri, 04/30/2010 - 10:37

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin-top:0in; mso-para-margin-right:0in; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0in; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

If you want to use easyVPN but to have tunnel up always, you can use IP SLA on client ASA, and that way to periodically initiate tunnel. It's not the best solution, but I will work.


This Discussion