Can only start SA between two spokes from one of the spokes

Unanswered Question
May 16th, 2010

I have an ASA as a hub for multiple VPN connections.  In this case I have users coming into either IPSEC or SSL VPN's terminating on this ASA.  They are able to reach anything except for one site.  This site (other spoke) is configured on the ASA for dynamic IPSEC VPN.  This remote site is an 1800 router on a DSL line.

If I ping from the VPN clients to the remote site internal network I get no response and the IPSEC SA does not start up for that subnet to subnet.  If I ping from the remote site to an internal location it works fine and the IPSEC SA is up and active for that traffic.  If I ping from the remote site to a VPN user it takes a second but then brings up the correct IPSEC SA for that traffic as well.  Once that's active I can ping from the VPN client to the remote site.

What's going on here that I can't establish that IPSEC SA from the VPN clients and yet once the SA is active it works fine?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Sun, 05/16/2010 - 14:58

Hi,

If the SAs for the dynamic site are up, you should be able to send traffic from the VPN clients.

I'm not sure if this is the problem, but could be that when the VPN client is sending traffic to the remote dynamic site, there's no SA up for that traffic.

When you need to create an SA against a dynamic site, the SA needs to be established from the dynamic site (not the other way around).

Check the following:

When sending traffic from the VPN clients to the remote site, do you have an IPsec SA for the IPs between the VPN clients and the remote site?

Otherwise, when you initiate traffic from the remote site, and now you can send traffic from the VPN client, do you see now an SA between the remote site and the VPN client IP?

Federico.

sbrooke Mon, 05/17/2010 - 06:08

Federico, thanks!  I'm guessing you got it right.  I'm trying to have the SA start when traffic comes from the VPN client side, not the Dynamic remote side.  Guess that won't work.  Ok, thanks for the help!

Actions

This Discussion

Related Content